Message | Id | Version | Qualifiers | Level | Task | Opcode | Keywords | RecordId | ProviderName | ProviderId | LogName | ProcessId | ThreadId | MachineName | UserId | TimeCreated | ActivityId | RelatedActivityId | ContainerLog | MatchedQueryIds | Bookmark | LevelDisplayName | OpcodeDisplayName | TaskDisplayName | KeywordsDisplayNames | Properties |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17776 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:44:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17775 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:44:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x2036F
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x9d8
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 17774 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:44:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 40e41d01-68cd-4460-9fd4-0564d5289d6f
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 17773 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:44:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: 40e41d01-68cd-4460-9fd4-0564d5289d6f
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8393cd0ea261579156fd7b62dc3a5267_aed26481-f95f-43a5-9ed9-d7743aaab555
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 17772 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:44:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F1B42
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17771 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:43:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x7034E2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17770 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:43:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x7034E2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64567
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17769 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:43:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x7034E2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17768 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:43:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6FF0C6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17767 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:41:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6FF0C6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17766 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:41:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6FF0C6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17765 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:41:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17764 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:41:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6FB651
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17763 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:41:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x6FB651
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64557
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17762 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:41:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6FB651
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17761 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:41:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F5476
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17760 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F5476
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17759 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F5476
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17758 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17757 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6EF7F5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17756 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F287F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17755 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F287F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17754 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F287F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17753 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17752 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F19FA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17751 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F1B42
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17750 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F1B42
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17749 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17748 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F1AE9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17747 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F1AE9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17746 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F1AE9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17745 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17744 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F1AA0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17743 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F1AA0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17742 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F1AA0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17741 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17740 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F19FA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17739 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-813795983-1267232490-4119460525-404474260
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6F19FA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17738 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 30818A8F-6EEA-4B88-ADFA-89F594C91B18
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17737 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x6EF7F5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64554
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17736 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6EF7F5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17735 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:39:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF2D0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17734 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:38:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6E46C4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17733 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:25 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6E46C4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17732 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6E46C4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17731 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17730 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6E1834
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17729 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6E1834
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17728 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6E1834
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17727 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17726 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6DD1AF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17725 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF175
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17724 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF2D0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17723 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF2D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17722 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17721 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF277
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17720 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF277
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17719 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF277
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17718 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17717 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF22D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17716 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF22D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17715 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF22D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17714 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17713 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF175
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17712 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248283691-1175201854-4166398128-366009145
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6DF175
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17711 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8602162B-283E-460C-B030-56F839DBD015
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17710 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x6DD1AF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64550
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17709 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6DD1AF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17708 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9E63
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17707 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:37:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6D17A7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17706 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:35:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x6D17A7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64543
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17705 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:35:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6D17A7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17704 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:35:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6CFA65
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17703 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6CFA65
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17702 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6CFA65
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17701 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17700 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6CC956
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17699 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6CC956
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17698 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6CC956
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17697 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17696 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9D08
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17695 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9E63
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17694 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9E63
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17693 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17692 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9E0A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17691 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9E0A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17690 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9E0A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17689 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17688 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9DC0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17687 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9DC0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17686 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9DC0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17685 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17684 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9D08
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17683 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1813312993-1178572541-161402244-727096101
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6C9D08
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17682 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6C14F5E1-96FD-463F-84CD-9E09259B562B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17681 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:34:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6C4125
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17680 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:33:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x6C4125
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64539
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17679 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:33:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6C4125
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17678 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:33:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF69C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17677 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:32:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6BEC2E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17676 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:32:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6BEC2E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17675 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:32:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6BEC2E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17674 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:32:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17673 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:32:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6B799F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17672 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:31:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x6B799F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64528
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17671 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:31:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6B799F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17670 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:31:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6B3277
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17669 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6B3277
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17668 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6B3277
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17667 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17666 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6B03F6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17665 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6B03F6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17664 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6B03F6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17663 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17662 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF554
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17661 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF69C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17660 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF69C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17659 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17658 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF643
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17657 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF643
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17656 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF643
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17655 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17654 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF5FA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17653 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF5FA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17652 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF5FA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17651 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17650 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF554
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17649 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3683585662-1113033933-2375018652-210720565
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6AF554
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17648 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DB8F0E7E-8CCD-4257-9CE8-8F8D35578F0C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17647 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:30:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6AB7B6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17646 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:29:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x6AB7B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64524
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17645 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:29:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6AB7B6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17644 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:29:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x69965E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17643 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:28:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x69BFF4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17642 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:27:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x69D0A5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17641 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:27:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x69D0A5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17640 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:27:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x69D0A5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17639 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:27:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17638 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:27:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x69BFF4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64520
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17637 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:27:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x69BFF4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17636 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:27:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x69A349
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17635 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x69A349
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17634 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x69A349
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17633 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17632 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x699516
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17631 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x69965E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17630 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x69965E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17629 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17628 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x699605
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17627 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x699605
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17626 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x699605
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17625 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17624 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6995BC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17623 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6995BC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17622 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6995BC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17621 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17620 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x699516
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17619 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1528110522-1261228126-158541480-3516528570
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x699516
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17618 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B151DBA-D05E-4B2C-A826-7309BAF799D1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17617 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A598
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17616 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:26:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x68833E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17615 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68DF49
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17614 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68DF49
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17613 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68DF49
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17612 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17611 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68B284
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17610 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68B284
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17609 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68B284
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17608 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17607 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A450
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17606 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A598
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17605 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A598
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17604 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17603 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A53F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17602 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A53F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17601 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A53F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17600 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17599 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A4F6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17598 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A4F6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17597 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A4F6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17596 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17595 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A450
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17594 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2874476419-1136911180-1263053247-854584773
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x68A450
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17593 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AB550783-E34C-43C3-BFA9-484BC5EDEF32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17592 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:25:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x68833E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64506
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17591 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:24:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x68833E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17590 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:24:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x67D063
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17589 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:23:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6766A9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17588 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:23:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x67D063
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64499
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17587 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x67D063
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17586 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x67A202
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17585 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x67A202
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17584 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x67A202
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17583 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17582 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x67738D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17581 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x67738D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17580 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x67738D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17579 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17578 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x676561
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17577 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6766A9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17576 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6766A9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17575 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17574 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x676650
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17573 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x676650
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17572 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x676650
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17571 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17570 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x676607
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17569 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x676607
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17568 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x676607
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17567 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17566 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x676561
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17565 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1741697179-1317233967-1818223759-132497713
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x676561
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17564 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 67D0309B-652F-4E83-8FE4-5F6C31C1E507
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17563 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:22:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x671DA5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17562 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:21:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x671DA5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64490
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17561 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:20:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x671DA5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17560 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:20:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654C38
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17559 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:19:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x664B16
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17558 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:19:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x664B16
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64475
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17557 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:18:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x664B16
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17556 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:18:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x65E225
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17555 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:17:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x65E225
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64472
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17554 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x65E225
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17553 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x65BB43
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17552 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x65BB43
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17551 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x65BB43
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17550 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17549 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x658686
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17548 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x658686
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17547 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x658686
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17546 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17545 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x655996
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17544 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x655996
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17543 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x655996
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17542 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17541 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654AF0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17540 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654C38
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17539 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654C38
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17538 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17537 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654BDF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17536 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654BDF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17535 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654BDF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17534 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17533 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654B96
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17532 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654B96
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17531 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654B96
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17530 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17529 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654AF0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17528 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2153306194-1297549775-2783765898-1794583828
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x654AF0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17527 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8058D852-09CF-4D57-8AE5-ECA5142DF76A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17526 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:16:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x65045D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17525 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:15:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x65045D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64453
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17524 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x65045D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17523 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x642A3D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17522 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6496F3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17521 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6496F3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17520 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6496F3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17519 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17518 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x646466
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17517 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x646466
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17516 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x646466
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17515 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17514 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x643767
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17513 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x643767
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17512 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x643767
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17511 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17510 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6428F6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17509 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x642A3D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17508 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x642A3D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17507 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17506 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6429E4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17505 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6429E4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17504 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6429E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17503 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17502 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x64299B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17501 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x64299B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17500 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x64299B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17499 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17498 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6428F6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17497 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1715748501-1166620065-323930546-3822672917
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6428F6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17496 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66443E95-35A1-4589-B2C9-4E13155CD9E3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17495 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633EA4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17494 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x63BCCB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17493 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x63BCCB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17492 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x63BCCB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17491 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17490 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:14:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x638810
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17489 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x638810
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17488 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x638810
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17487 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17486 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x634B5C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17485 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x634B5C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17484 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x634B5C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17483 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17482 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633D5C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17481 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633EA4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17480 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633EA4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17479 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17478 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633E4B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17477 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633E4B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17476 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633E4B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17475 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17474 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633E02
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17473 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633E02
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17472 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633E02
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17471 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17470 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633D5C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17469 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1293308104-1299451127-2527807156-1847954885
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x633D5C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17468 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D1650C8-0CF7-4D74-B446-AB96C58D256E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17467 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x629BE4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17466 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628EE9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17465 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:13:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x62C7DE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17464 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x62C7DE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17463 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x62C7DE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17462 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17461 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x629BCF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17460 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x629BCF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17459 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x629BCF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17458 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17457 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x629BE4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64449
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17456 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x629BE4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17455 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628DA2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17454 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628EE9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17453 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628EE9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17452 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17451 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628E90
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17450 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628E90
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17449 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628E90
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17448 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17447 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628E47
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17446 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628E47
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17445 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628E47
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17444 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17443 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628DA2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17442 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3021320336-1092470555-1434501550-2539388361
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x628DA2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17441 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B415B090-C71B-411D-AEC1-8055C9FD5B97
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17440 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B85C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17439 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61F252
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17438 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61F252
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17437 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61F252
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17436 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17435 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61DF04
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17434 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61DF04
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17433 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61DF04
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17432 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17431 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61C510
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17430 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61C510
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17429 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61C510
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17428 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17427 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B69A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17426 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B85C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17425 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B85C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17424 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17423 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B803
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17422 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B803
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17421 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B803
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17420 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17419 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B740
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17418 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B740
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17417 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B740
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17416 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17415 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B69A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17414 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2611383540-1339080928-3206979502-4219146293
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x61B69A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17413 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9BA68CF4-C0E0-4FD0-AE9F-26BF35107BFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17412 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x610FEE
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17411 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:11:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609F82
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17410 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:11:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x613538
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17409 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:11:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x613538
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17408 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:11:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x613538
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17407 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:11:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17406 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:11:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x610FEE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64433
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17405 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x610FEE
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17404 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x60D8E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17403 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x60D8E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17402 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x60D8E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17401 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17400 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x60AC2F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17399 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x60AC2F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17398 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x60AC2F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17397 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17396 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609DC5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17395 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609F82
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17394 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609F82
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17393 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17392 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609F29
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17391 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609F29
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17390 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609F29
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17389 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17388 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609EE0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17387 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609EE0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17386 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609EE0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17385 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17384 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609DC5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17383 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1007915942-1180727968-2707193491-2729338995
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x609DC5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17382 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3C1393A6-7AA0-4660-937E-5CA17368AEA2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17381 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6002C3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17380 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5FC6C5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17379 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x60082F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17378 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x602763
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17377 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x602763
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17376 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x602763
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17375 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17374 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x601519
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17373 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x601519
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17372 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x601519
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17371 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17370 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6006E1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17369 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x60082F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17368 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x60082F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17367 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17366 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6007D0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17365 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6007D0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17364 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6007D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17363 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17362 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x600787
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17361 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x600787
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17360 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x600787
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17359 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17358 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6006E1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17357 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2065402404-1142996118-2451988352-2598055808
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x6006E1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17356 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7B1B8A24-BC96-4420-805F-2692802FDB9A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17355 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x600314
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17354 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x600316
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17353 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x600312
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17352 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x600316
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64422
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17351 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x600316
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17350 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x600314
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64421
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17349 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x600314
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17348 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x600312
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64420
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17347 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x600312
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17346 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6002C3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64419
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17345 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6002C3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17344 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:10:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x5FC6C5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64414
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17343 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:08:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5FC6C5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17342 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:08:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EEDA9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17341 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:08:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5F2878
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17340 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5F2878
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17339 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5F2878
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17338 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17337 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EFADB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17336 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EFADB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17335 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EFADB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17334 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17333 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EEC61
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17332 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EEDA9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17331 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EEDA9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17330 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17329 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EED50
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17328 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EED50
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17327 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EED50
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17326 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17325 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EED07
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17324 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EED07
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17323 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EED07
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17322 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17321 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EEC61
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17320 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1257432339-1187591848-3388755126-2916459674
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5EEC61
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17319 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4AF2E513-36A8-46C9-B64C-FCC99AA4D5AD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17318 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF979
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17317 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5E5F35
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17316 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:07:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x5E5F35
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64399
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17315 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5E5F35
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17314 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5E3284
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17313 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5E3284
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17312 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5E3284
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17311 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17310 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5E062C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17309 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5E062C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17308 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5E062C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17307 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17306 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF832
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17305 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF979
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17304 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF979
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17303 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17302 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF920
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17301 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF920
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17300 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF920
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17299 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17298 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF8D7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17297 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF8D7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17296 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF8D7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17295 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17294 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF832
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17293 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-623172081-1161694241-1284219287-3088539922
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5DF832
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17292 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2524D9F1-0C21-453E-97A1-8B4C126117B8
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17291 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D5FB9
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17290 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D657E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17289 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D843C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17288 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D843C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17287 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D843C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17286 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17285 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D7262
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17284 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D7262
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17283 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D7262
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17282 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17281 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D6436
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17280 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D657E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17279 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D657E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17278 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17277 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D6525
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17276 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D6525
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17275 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D6525
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17274 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17273 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D64DC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17272 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D64DC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17271 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D64DC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17270 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17269 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D6436
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17268 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3664794201-1304323151-77409956-3825267337
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5D6436
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17267 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA705259-644F-4DBE-A42E-9D0489F200E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17266 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D6018
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17265 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D6007
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17264 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D6009
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17263 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D6018
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64395
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17262 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D6018
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17261 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D6009
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64394
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17260 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D6009
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17259 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D6007
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64393
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17258 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D6007
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17257 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D5FB9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64392
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17256 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5D5FB9
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17255 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:06:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5CA8B0
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17254 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:05:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C886D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17253 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:05:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5CC100
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17252 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5CC100
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17251 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5CC100
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17250 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17249 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x5CA8B0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64378
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17248 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5CA8B0
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17247 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C9545
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17246 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C9545
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17245 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C9545
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17244 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17243 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C8725
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17242 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C886D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17241 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C886D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17240 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17239 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C8814
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17238 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C8814
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17237 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C8814
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17236 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17235 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C87CB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17234 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C87CB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17233 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C87CB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17232 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17231 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C8725
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17230 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-346190951-1272224766-3311061152-1782258641
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5C8725
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17229 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 14A27467-9BFE-4BD4-A0C8-5AC5D11B3B6A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17228 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB5ED
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17227 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5A9BD5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17226 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:04:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BEE6D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17225 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BEE6D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17224 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BEE6D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17223 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17222 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BC298
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17221 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BC298
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17220 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BC298
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17219 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17218 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB4A6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17217 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB5ED
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17216 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB5ED
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17215 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17214 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB594
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17213 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB594
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17212 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB594
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17211 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17210 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB54B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17209 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB54B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17208 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB54B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17207 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17206 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB4A6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17205 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1705528725-1231785491-1922741650-76020728
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5BB4A6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17204 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 65A84D95-8E13-496B-92B5-9A72F8FB8704
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17203 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B067B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17202 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B40E1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17201 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B40E1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17200 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B40E1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17199 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17198 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B134D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17197 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B134D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17196 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B134D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17195 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17194 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B04BE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17193 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B067B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17192 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B067B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17191 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17190 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B0622
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17189 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B0622
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17188 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B0622
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17187 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17186 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B0564
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17185 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B0564
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17184 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B0564
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17183 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17182 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B04BE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17181 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1240828406-1105970771-1510952623-1372785013
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5B04BE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17180 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49F589F6-C653-41EB-AF4E-0F5A7509D351
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17179 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:03:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AEE8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17178 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:02:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x5A9BD5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64368
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17177 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:02:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5A9BD5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17176 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:02:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5A2F92
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17175 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:01:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x5A2F92
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64362
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17174 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:00:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5A2F92
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17173 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:00:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x595BB6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17172 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:00:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x59A944
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17171 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:00:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x59A944
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17170 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:00:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x59A944
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17169 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:00:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17168 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 11:00:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x597B7A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17167 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x597B7A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17166 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x597B7A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17165 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17164 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5959E5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17163 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x595BB6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17162 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x595BB6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17161 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17160 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x595B5D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17159 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x595B5D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17158 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x595B5D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17157 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17156 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x595A9D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17155 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x595A9D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17154 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x595A9D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17153 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17152 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5959E5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17151 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2628584823-1173006794-1517268651-298669520
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5959E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17150 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9CAD0577-A9CA-45EA-ABAE-6F5AD055CD11
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17149 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5919D2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17148 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:59:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x5919D2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64349
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17147 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5919D2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17146 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x590244
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17145 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x590244
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17144 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x590244
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17143 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17142 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58CC0C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17141 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58CC0C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17140 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58CC0C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17139 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17138 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AD8D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17137 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AEE8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17136 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AEE8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17135 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17134 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AE8F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17133 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AE8F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17132 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AE8F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17131 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17130 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AE45
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17129 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AE45
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17128 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AE45
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17127 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17126 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AD8D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17125 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-425130512-1287281645-632633261-1997123537
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x58AD8D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17124 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1956FA10-5BED-4CBA-AD37-B525D1AF0977
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17123 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5818B7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17122 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:58:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C92C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17121 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:57:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x5818B7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64344
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17120 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5818B7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17119 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57ED4F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17118 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57ED4F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17117 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57ED4F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17116 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17115 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57D5F9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17114 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57D5F9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17113 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57D5F9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17112 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17111 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C7E1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17110 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C92C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17109 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C92C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17108 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17107 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C8D3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17106 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C8D3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17105 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C8D3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17104 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17103 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C88A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17102 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C88A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17101 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C88A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17100 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17099 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C7E1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17098 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2652867127-1090920689-1523586185-2214141831
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x57C7E1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17097 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9E1F8A37-20F1-4106-8914-D05A871FF983
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17096 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562C23
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17095 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D85D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17094 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D848
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17093 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D831
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17092 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D894
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17091 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D820
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17090 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568FB7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17089 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x56C94E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17088 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x56C94E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17087 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x56C94E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17086 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17085 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x569CA5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17084 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x569CA5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17083 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x569CA5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17082 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17081 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568DF8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17080 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568FB7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17079 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568FB7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17078 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17077 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568EE7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17076 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568EE7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17075 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568EE7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17074 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17073 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568E9E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17072 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568E9E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17071 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568E9E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17070 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17069 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568DF8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17068 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2006433311-1147411518-3592328891-2952030008
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x568DF8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17067 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7797BE1F-1C3E-4464-BB96-1ED63867F4AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17066 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:56:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x56659B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17065 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x56659B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17064 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x56659B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17063 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17062 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5638E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17061 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5638E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17060 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5638E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17059 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17058 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562AD8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17057 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562C23
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17056 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562C23
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17055 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17054 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562BC6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17053 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562BC6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17052 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562BC6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17051 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17050 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562B7D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17049 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562B7D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17048 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562B7D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17047 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17046 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562AD8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17045 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-543610148-1187043155-4278465171-2995695044
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x562AD8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17044 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2066D524-D753-46C0-9332-04FFC4AD8EB2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17043 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D7EE
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17042 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x545959
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17041 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 1088 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x54EB49
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17040 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x54E695
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17039 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D778
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17038 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x555BAC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17037 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x54D9D0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17036 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5399F9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17035 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D9A8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17034 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x555BAC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17033 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x555BAC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17032 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17031 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:55:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x551FFB
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17030 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x551FFB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BE464429-D03B-6DB3-001E-122B4D1B6DE0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17029 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x551FFB
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17028 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x551CDA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17027 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x551CDA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17026 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x551CDA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17025 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17024 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x551B81
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17023 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x551B81
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17022 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x551B81
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17021 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17020 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17019 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17018 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x54EB85
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17017 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x54EB9E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17016 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x54EB95
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17015 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54EB9E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {4CD9A6CE-C497-A01C-D255-1F119B86515E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64314
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17014 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54EB95
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {4CD9A6CE-C497-A01C-D255-1F119B86515E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64313
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17013 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54EB85
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {4CD9A6CE-C497-A01C-D255-1F119B86515E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64312
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17012 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54EB49
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {4CD9A6CE-C497-A01C-D255-1F119B86515E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64311
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17011 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54E695
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {4CD9A6CE-C497-A01C-D255-1F119B86515E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64311
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17010 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x54DA8F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17009 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-1106
Account Name: N-H2-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54DA8F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {5FB33D03-D2F8-E234-FC21-8EBC21E4271E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17008 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x54DA23
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 17007 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x54DA23
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17006 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x54DA23
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17005 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17004 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x54D9D0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 17003 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1246273456-1236475055-496356012-1491662887
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x54D9D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17002 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A489FB0-1CAF-49B3-ACCA-951D27F8E858
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 17001 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D9A8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BE464429-D03B-6DB3-001E-122B4D1B6DE0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 17000 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D9A8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16999 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D894
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64317
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16998 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D894
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16997 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D85D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64316
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D85D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D848
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64316
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D848
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D831
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64316
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D831
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D820
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64316
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D820
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D7EE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64310
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D7EE
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D7A2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D7B8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D7C9
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D7C9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64314
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D7C9
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D7B8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64313
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D7B8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D7A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64312
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D7A2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x54D778
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64311
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54D778
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542DC0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x547AA7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x547AA7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x547AA7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x545959
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64310
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x545959
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x544D01
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x544D01
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16967 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x544D01
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542C60
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542DC0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542DC0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542D67
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542D67
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542D67
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542D1D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542D1D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542D1D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542C60
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4135128387-1290393550-2138552754-548477761
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x542C60
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F6790D43-D7CE-4CE9-B2B9-777F411BB120
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x53E95F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x53E95F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x53E95F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x53BAC9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x53BAC9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x53BAC9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:54:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x53989A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5399F9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5399F9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5399A0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5399A0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5399A0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x539956
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x539956
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x539956
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x53989A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2459401722-1099618446-1287055272-439493191
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x53989A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 92977DFA-D88E-418A-A8E7-B64C4722321A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5235FB
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:53:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x522924
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x52241A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52F7F8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52F7F8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52F7F8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x523878
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x527CE8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x527CE8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x527CE8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52574B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52574B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52574B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52455A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52455A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52455A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5236BB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x523878
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x523878
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52381F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52381F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16901 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x52381F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x523760
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x523760
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x523760
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5236BB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2094753490-1185170930-3716382115-985037319
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5236BB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7CDB66D2-45F2-46A4-A37D-83DD077AB63A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x5235FB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64301
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5235FB
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5227CA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x522924
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x522924
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16887 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16886 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5228CB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16885 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5228CB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16884 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5228CB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16883 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16882 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x522881
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16881 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x522881
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16880 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x522881
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16879 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16878 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5227CA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16877 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3813257296-1176847435-3286428549-975524597
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5227CA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16876 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E349B050-444B-4625-85EB-E2C3F552253A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16875 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5224CF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16874 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5224A3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16873 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5224B1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16872 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5224CF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64300
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16871 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5224CF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16870 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5224B1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64299
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16869 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5224B1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16868 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5224A3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64298
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16867 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x5224A3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16866 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x52241A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 64297
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16865 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x52241A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16864 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x506E16
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16863 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:52:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5166C4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16862 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x519BD1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16861 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x519BD1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16860 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x519BD1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16859 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16858 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x51737F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16857 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x51737F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16856 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x51737F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16855 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16854 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x516507
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16853 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5166C4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16852 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5166C4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16851 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16850 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x51666B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16849 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x51666B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16848 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x51666B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16847 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16846 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x516622
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16845 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x516622
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16844 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x516622
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16843 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16842 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x516507
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16841 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3853375623-1335248674-1974363281-2949148478
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x516507
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16840 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E5ADD887-4722-4F96-9164-AE753E6FC8AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16839 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5094FC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16838 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x50F340
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16837 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x50F340
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16836 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x50F340
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16835 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16834 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x50B414
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16833 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x50B414
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16832 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x50B414
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16831 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16830 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5093A2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16829 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5094FC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16828 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5094FC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16827 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16826 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5094A3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16825 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5094A3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16824 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5094A3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16823 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16822 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x509459
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16821 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x509459
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16820 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x509459
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16819 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16818 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5093A2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16817 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3718478360-1242246073-106067850-2322716834
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5093A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16816 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDA37A18-2BB9-4A0B-8A77-5206A2D8718A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16815 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:51:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x506E16
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64277
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16814 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x506E16
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16813 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FBA7B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16812 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5018BE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16811 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5018BE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16810 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x5018BE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16809 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16808 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FEB91
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16807 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:32 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FEB91
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16806 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FEB91
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16805 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16804 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FB920
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16803 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FBA7B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16802 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FBA7B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16801 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16800 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FBA22
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16799 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FBA22
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16798 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FBA22
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16797 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16796 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FB9D8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16795 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FB9D8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16794 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FB9D8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16793 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16792 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FB920
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16791 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1144785845-1299980637-3994013338-3588298690
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4FB920
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16790 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 443C0BB5-215D-4D7C-9ACE-0FEEC217E1D5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16789 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF15D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16788 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC2B6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16787 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:50:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EFD0A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16786 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EFD0A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16785 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EFD0A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16784 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16783 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4ECFA0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16782 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4ECFA0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16781 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4ECFA0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16780 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16779 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC16F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16778 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC2B6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16777 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC2B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16776 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16775 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC25D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16774 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC25D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16773 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC25D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16772 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16771 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC214
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16770 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC214
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16769 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC214
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16768 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16767 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC16F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16766 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-419703135-1199777141-3794064017-2986640599
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4EC16F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16765 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1904295F-2575-4783-91D2-24E2D78404B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16764 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A40A2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16763 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4E2BB8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16762 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4E2BB8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16761 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4E2BB8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16760 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16759 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x4DB1B5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16758 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DFECB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16757 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DFECB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16756 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DFECB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16755 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16754 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF015
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16753 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF15D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16752 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF15D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16751 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16750 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF104
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16749 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF104
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16748 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF104
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16747 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16746 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF0BB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16745 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF0BB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16744 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF0BB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16743 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16742 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF015
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16741 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3242816165-1258985630-3921218739-29710714
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4DF015
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16740 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C14972A5-989E-4B0A-B30C-B9E97A59C501
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16739 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:49:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x4DB1B5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64256
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16738 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:48:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x4DB1B5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16737 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:48:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B93E1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16736 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:48:25 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4D1912
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16735 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4D1912
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16734 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:48:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4D1912
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16733 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:48:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16732 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:48:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C4A39
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16731 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4CA476
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16730 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4CA476
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16729 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4CA476
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16728 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16727 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x4B7B1E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16726 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C57FA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16725 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C57FA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16724 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C57FA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16723 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16722 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C48F1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16721 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C4A39
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16720 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C4A39
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16719 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16718 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C49E0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16717 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C49E0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16716 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C49E0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16715 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16714 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C4997
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16713 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C4997
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16712 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C4997
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16711 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16710 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C48F1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16709 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4019705724-1301924641-4224173738-129394829
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C48F1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16708 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF97D77C-CB21-4D99-AAC6-C7FB8D68B607
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16707 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C042C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16706 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C042C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16705 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4C042C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16704 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16703 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4BD867
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16702 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4BD867
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16701 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4BD867
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16700 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16699 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4BA13A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16698 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4BA13A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16697 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4BA13A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16696 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16695 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B929A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16694 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B93E1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16693 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B93E1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16692 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16691 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B9388
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16690 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B9388
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16689 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B9388
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16688 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16687 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B933F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16686 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B933F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16685 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B933F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16684 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16683 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B929A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16682 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1945913206-1215531929-3747301274-356211180
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B929A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16681 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 73FC4776-8B99-4873-9A47-5BDFEC593B15
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16680 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:47:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x4B7B1E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64248
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16679 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x4B7B1E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16678 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEB8D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16677 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B25F9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16676 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:32 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B25F9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16675 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4B25F9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16674 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16673 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AF86F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16672 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AF86F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16671 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AF86F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16670 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16669 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEA46
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16668 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEB8D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16667 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEB8D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16666 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16665 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEB34
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16664 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEB34
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16663 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEB34
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16662 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16661 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEAEB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16660 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEAEB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16659 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEAEB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16658 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16657 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEA46
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16656 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3830217812-1148917579-4017453701-2455693816
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AEA46
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16655 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E44C7C54-174B-447B-857A-75EFF8E95E92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16654 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AB4B7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16653 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AB4B7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16652 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4AB4B7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16651 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16650 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x495BB7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16649 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E299
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16648 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A4DF4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16647 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A4DF4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16646 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A4DF4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16645 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16644 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A3F5B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16643 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A40A2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16642 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A40A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16641 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16640 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A4049
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16639 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A4049
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16638 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A4049
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16637 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16636 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A4000
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16635 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A4000
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16634 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A4000
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16633 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16632 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A3F5B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16631 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-945480147-1130965668-2403011263-1415428936
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A3F5B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16630 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 385AE1D3-2AA4-4369-BF0A-3B8F48BB5D54
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16629 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A2714
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16628 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A2714
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16627 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4A2714
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16626 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16625 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49F005
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16624 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49F005
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16623 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49F005
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16622 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16621 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E151
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16620 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E299
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16619 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E299
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16618 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16617 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E240
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16616 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E240
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16615 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E240
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16614 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16613 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E1F7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16612 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E1F7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16611 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E1F7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16610 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16609 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E151
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16608 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3764709217-1248012994-411763328-9612133
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49E151
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16607 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E064E761-2AC2-4A63-8002-8B1865AB9200
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16606 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:46:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E720
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16605 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x495BB7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64230
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16604 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x495BB7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16603 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49245D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16602 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49245D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16601 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x49245D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16600 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16599 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48F413
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16598 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48F413
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16597 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48F413
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16596 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16595 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:05 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E5D8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16594 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E720
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16593 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E720
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16592 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16591 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E6C7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16590 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E6C7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16589 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E6C7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16588 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16587 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E67E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16586 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E67E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16585 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E67E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16584 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16583 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E5D8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16582 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3208905115-1129155220-399178940-1853955534
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x48E5D8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16581 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BF44019B-8A94-434D-BCFC-CA17CE1D816E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16580 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:44:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BCB2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16579 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:43:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x488A86
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16578 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:43:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x488A86
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16577 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:43:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x488A86
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16576 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:43:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16575 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:43:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x482797
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16574 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:43:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x482797
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64214
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16573 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x482797
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16572 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x480818
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16571 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x480818
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16570 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x480818
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16569 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16568 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47C96D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16567 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47C96D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16566 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47C96D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16565 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16564 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BB6A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16563 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BCB2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16562 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BCB2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16561 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16560 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BC59
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16559 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BC59
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16558 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BC59
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16557 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16556 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BC10
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16555 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BC10
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16554 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BC10
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16553 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16552 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BB6A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16551 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3157470420-1181531310-4252264337-3021243737
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47BB6A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16550 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BC332CD4-BCAE-466C-9167-74FD598514B4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16549 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:42:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x456737
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16548 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x452A31
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16547 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47289F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16546 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47289F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16545 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x47289F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16544 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16543 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372E99
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16542 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C7687
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16541 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D4310
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16540 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CE64
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16539 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424CFA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16538 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:41:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x45B9A1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16537 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x45B9A1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16536 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x45B9A1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16535 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16534 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4574F5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16533 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4574F5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16532 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4574F5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16531 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16530 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4565EC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16529 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x456737
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16528 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x456737
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16527 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16526 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4566DE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16525 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4566DE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16524 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4566DE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16523 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16522 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x456695
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16521 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x456695
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16520 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x456695
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16519 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16518 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4565EC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16517 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-766382520-1288364202-1888711573-131245379
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4565EC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16516 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2DAE11B8-E0AA-4CCA-9573-937043A5D207
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16515 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x452A31
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64200
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16514 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x452A31
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16513 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4510D4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16512 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4510D4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16511 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4510D4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16510 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16509 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44DC0D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16508 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44DC0D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16507 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44DC0D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16506 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16505 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CD18
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16504 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CE64
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16503 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CE64
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16502 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16501 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CE07
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16500 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CE07
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16499 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CE07
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16498 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16497 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CDBE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16496 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CDBE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16495 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CDBE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16494 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16493 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CD18
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16492 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3576242303-1313878755-4206603439-2456355105
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x44CD18
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16491 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D529207F-32E3-4E50-AFAC-BBFA21016992
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16490 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BCBE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16489 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EF89
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16488 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4422B6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16487 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4422B6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16486 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4422B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16485 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16484 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x421258
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16483 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:40:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x43AF52
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16482 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x43AF52
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16481 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x43AF52
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16480 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16479 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4379A0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16478 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4379A0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16477 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x4379A0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16476 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16475 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E13F6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16474 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x43233A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16473 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:32 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x43233A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16472 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x43233A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16471 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16470 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42FDD2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16469 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42FDD2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16468 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42FDD2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16467 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16466 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EE41
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16465 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EF89
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16464 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EF89
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16463 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16462 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EF30
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16461 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EF30
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16460 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EF30
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16459 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16458 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EEE7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16457 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EEE7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16456 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EEE7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16455 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16454 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EE41
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16453 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704391753-1298750857-3579851964-1330865643
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x42EE41
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16452 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCCC8849-5D89-4D69-BC34-60D5EB65534F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16451 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x429058
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16450 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x429058
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16449 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x429058
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16448 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16447 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:39:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x425AEE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16446 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x425AEE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16445 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x425AEE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16444 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16443 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424BAF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16442 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424CFA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16441 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424CFA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16440 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16439 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424CA1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16438 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424CA1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16437 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424CA1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16436 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16435 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424C58
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16434 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424C58
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16433 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424C58
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16432 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16431 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424BAF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16430 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1963703475-1139290781-1146586763-3347640221
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x424BAF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16429 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 750BBCB3-329D-43E8-8B86-57449DEF88C7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16428 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 4184 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x421258
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64180
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16427 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x421258
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16426 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41F9EA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16425 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:32 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41F9EA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16424 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41F9EA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16423 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16422 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41CA66
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16421 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41CA66
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16420 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41CA66
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16419 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16418 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BB72
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16417 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BCBE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16416 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BCBE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16415 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16414 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BC61
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16413 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BC61
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16412 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BC61
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16411 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16410 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BC18
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16409 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BC18
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16408 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BC18
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16407 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16406 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BB72
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16405 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-786841896-1286079228-2469683604-1880779827
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x41BB72
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16404 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2EE64128-02FC-4CA8-9461-3493336C1A70
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16403 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:38:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E57D0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16402 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E57D0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16401 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E57D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16400 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16399 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E2166
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16398 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E2166
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16397 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E2166
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16396 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16395 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E121B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16394 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E13F6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16393 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E13F6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16392 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16391 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E139D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16390 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E139D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16389 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E139D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16388 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16387 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E1354
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16386 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E1354
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16385 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E1354
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16384 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16383 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E121B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16382 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2079917561-1313404624-1982993324-3675726354
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3E121B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16381 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7BF905F9-F6D0-4E48-AC13-3276122217DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16380 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x3C78D6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16379 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D7E48
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16378 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D7E48
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16377 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D7E48
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16376 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16375 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D5044
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16374 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D5044
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16373 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D5044
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16372 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16371 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D41C4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16370 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D4310
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16369 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D4310
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16368 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16367 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D42B7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16366 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D42B7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16365 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D42B7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16364 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16363 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D426A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16362 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D426A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16361 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D426A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16360 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16359 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D41C4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16358 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-826998322-1242018220-1318551981-4223363083
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D41C4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16357 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 314AFE32-B1AC-4A07-AD81-974E0B68BBFB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16356 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:37:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D11E4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16355 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D11E4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16354 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3D11E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16353 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16352 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4DDD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16351 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3CB12C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16350 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3CB12C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16349 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3CB12C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16348 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16347 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C8425
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16346 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C8425
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16345 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C8425
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16344 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16343 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x3C78D6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64161
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16342 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x3C78D6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16341 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C7540
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16340 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C7687
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16339 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C7687
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16338 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16337 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C762E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16336 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C762E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16335 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C762E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16334 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16333 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C75E5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16332 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C75E5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16331 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C75E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16330 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16329 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C7540
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16328 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1734422910-1311431045-714914189-2715778871
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C7540
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16327 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6761317E-D985-4E2A-8DB9-9C2A377FDFA1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16326 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C5BAC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16325 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C5BAC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16324 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C5BAC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16323 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16322 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4C92
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16321 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4DDD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16320 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4DDD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16319 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16318 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4D84
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16317 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4D84
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16316 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4D84
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16315 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16314 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4D37
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16313 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4D37
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16312 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4D37
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16311 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16310 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4C92
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16309 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1389236053-1111019559-3257552769-233011699
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3C4C92
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16308 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 52CE0F55-D027-4238-814F-2AC2F379E30D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16307 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B7B65
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16306 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3BC57B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16305 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3BC57B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16304 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3BC57B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16303 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16302 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:36:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x348632
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16301 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B8894
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16300 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B8894
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16299 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B8894
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16298 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16297 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B79A2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16296 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B7B65
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16295 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B7B65
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16294 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16293 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B7A95
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16292 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B7A95
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16291 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B7A95
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16290 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16289 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B7A48
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16288 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B7A48
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16287 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B7A48
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16286 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16285 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B79A2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16284 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1134580873-1339322791-3687361981-4211414800
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3B79A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16283 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 43A05489-71A7-4FD4-BDAD-C8DB101705FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16282 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x394BC4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16281 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F1B0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16280 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394C7A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16279 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:25 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3A3151
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16278 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3A3151
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16277 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3A3151
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16276 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16275 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:35:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3A0014
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16274 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3A0014
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16273 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3A0014
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16272 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16271 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39FC11
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16270 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39FC11
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16269 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39FC11
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16268 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16267 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F069
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16266 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F1B0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16265 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F1B0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16264 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16263 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F157
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16262 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F157
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16261 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F157
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16260 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16259 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F10E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16258 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F10E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16257 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F10E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16256 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16255 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F069
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16254 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2127859055-1329349081-446086026-1855807495
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x39F069
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16253 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7ED48D6F-41D9-4F3C-8ABB-961A07609D6E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16252 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x386491
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16251 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x399711
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16250 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x399711
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16249 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x399711
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16248 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16247 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x395A92
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16246 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x395A92
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16245 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x395A92
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16244 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16243 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394B1C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16242 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394C7A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16241 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394C7A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16240 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16239 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394C1C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16238 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394C1C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16237 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394C1C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16236 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16235 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394BC3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16234 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394BC3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16233 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394BC3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16232 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16231 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x394BC4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64143
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16230 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x394BC4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16229 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394B1C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16228 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1738371062-1309040501-3731989648-2365667293
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x394B1C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16227 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 679D6FF6-5F75-4E06-90A4-71DEDD37018D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16226 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382AA9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16225 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38E37D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16224 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38E37D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16223 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38E37D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16222 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16221 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38CDC6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16220 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38CDC6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16219 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38CDC6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16218 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16217 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38AAA8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16216 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38AAA8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16215 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38AAA8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16214 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16213 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3872A9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16212 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3872A9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16211 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3872A9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16210 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16209 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38634A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16208 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x386491
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16207 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x386491
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16206 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16205 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x386438
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16204 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x386438
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16203 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x386438
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16202 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16201 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3863EF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16200 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3863EF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16199 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3863EF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16198 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16197 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38634A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16196 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-34610013-1257268271-1375860158-2591436437
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x38634A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16195 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 02101B5D-642F-4AF0-BEF5-0152952E769A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16194 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x383810
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16193 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x383810
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16192 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x383810
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16191 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16190 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382961
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16189 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382AA9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16188 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382AA9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16187 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16186 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382A50
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16185 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382A50
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16184 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382A50
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16183 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16182 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382A07
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16181 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382A07
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16180 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382A07
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16179 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16178 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382961
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16177 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1406306840-1268665688-3338268038-694386322
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x382961
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16176 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 53D28A18-4D58-4B9E-86ED-F9C6927E6329
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16175 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:34:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x37E0CD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16174 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:33:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x37E0CD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16173 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:33:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x37E0CD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16172 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:33:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16171 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:33:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x379165
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16170 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x379165
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64115
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16169 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x379165
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16168 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x376BA5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16167 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x376BA5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16166 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x376BA5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16165 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16164 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x373CB3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16163 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x373CB3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16162 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x373CB3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16161 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16160 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372CD6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16159 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372E99
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16158 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372E99
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16157 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16156 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372E3B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16155 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372E3B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16154 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372E3B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16153 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16152 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372D7C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16151 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372D7C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16150 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372D7C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16149 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16148 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372CD6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16147 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163216161-1261202215-3776011435-2139244595
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x372CD6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16146 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09BA7B21-6B27-4B2C-AB5C-11E13348827F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16145 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:32:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x36E515
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16144 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x36E515
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16143 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x36E515
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16142 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16141 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x36DACC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16140 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x36DACC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16139 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x36DACC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16138 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16137 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x36A4FB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16136 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x36A4FB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16135 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x36A4FB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16134 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16133 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F3121
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16132 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x361CF7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16131 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x361CF7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16130 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x361CF7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16129 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16128 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x361496
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16127 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x361496
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16126 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x361496
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16125 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16124 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x34FECF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16123 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3514BF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16122 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:31:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x356315
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16121 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x356315
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16120 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x356315
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16119 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16118 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x352371
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16117 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x352371
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16116 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x352371
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16115 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16114 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x351377
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16113 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3514BF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16112 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3514BF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16111 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16110 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x351466
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16109 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x351466
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16108 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x351466
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16107 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16106 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x35141D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16105 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x35141D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16104 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x35141D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16103 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16102 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x351377
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16101 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1236606832-1280373032-3796075412-1149317704
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x351377
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16100 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 49B51F70-F128-4C50-9483-43E248328144
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16099 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x34FECF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64102
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16098 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x34FECF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16097 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x34C488
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16096 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x34C488
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16095 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x34C488
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16094 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16093 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:30:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3493C8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16092 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3493C8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16091 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3493C8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16090 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16089 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3484E6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16088 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x348632
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16087 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x348632
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16086 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16085 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3485D9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16084 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3485D9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16083 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3485D9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16082 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16081 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x34858B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16080 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x34858B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16079 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x34858B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16078 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16077 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3484E6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16076 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1373420395-1229859996-2044414127-2450050722
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3484E6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16075 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51DCBB6B-2C9C-494E-AF48-DB79A2CE0892
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16074 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x327043
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16073 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337F9F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16072 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x340B34
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16071 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x340B34
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16070 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x340B34
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16069 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16068 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5E0F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16067 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x338D56
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16066 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x338D56
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16065 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x338D56
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16064 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16063 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337E57
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16062 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337F9F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16061 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337F9F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16060 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16059 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337F46
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16058 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337F46
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16057 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337F46
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16056 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16055 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337EFD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16054 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337EFD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16053 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337EFD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16052 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16051 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337E57
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16050 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876053081-1086786851-2774043580-3509474678
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x337E57
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16049 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34378259-0D23-40C7-BC8B-58A576552ED1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16048 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A7FB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16047 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x33489F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16046 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x33489F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16045 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x33489F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16044 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16043 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:29:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3303CE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16042 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3303CE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16041 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3303CE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16040 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16039 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32B61A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16038 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32B61A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16037 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32B61A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16036 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16035 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A6B4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16034 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A7FB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16033 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A7FB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16032 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16031 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A7A2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16030 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A7A2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16029 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A7A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16028 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16027 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A759
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16026 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A759
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16025 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A759
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16024 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16023 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A6B4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16022 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1462493175-1152371890-3315838900-140118005
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x32A6B4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16021 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 572BDFF7-CCB2-44AF-B4AF-A3C5F5075A08
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16020 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3284A8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16019 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3284A8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16018 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3284A8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16017 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16016 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:36 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3277A6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16015 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3277A6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16014 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x3277A6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16013 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16012 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x327043
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64085
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16011 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x327043
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16010 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x318D89
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16009 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x318D89
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16008 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x318D89
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16007 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16006 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x30B4B5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16005 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x30B4B5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16004 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x30B4B5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 16003 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 16002 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:28:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x308D7E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 16001 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x308D7E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 16000 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x308D7E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15999 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15998 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15997 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2FC508
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2FC508
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2FC508
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:56 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEC1D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F6B36
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F6B36
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F6B36
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5CC7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5E0F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5E0F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5DB6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5DB6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5DB6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5D6D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5D6D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5D6D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5CC7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2998866220-1118027230-2337143737-2458897669
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F5CC7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B2BF112C-BDDE-42A3-B9FB-4D8B05CD8F92
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F3E73
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F3E73
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F3E73
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F2FC3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15967 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F3121
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F3121
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F30C8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F30C8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F30C8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F307E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F307E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F307E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F2FC3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-546412563-1245270851-650528939-1264186767
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2F2FC3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 20919813-5343-4A39-AB48-C6268FF5594B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EF8E4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EF8E4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EF8E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEAD2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEC1D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEC1D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEBC4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEBC4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEBC4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEB7B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEB7B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEB7B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEAD2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3781180515-1335270591-3125113011-3304405130
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2EEAD2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1603C63-9CBF-4F96-B370-45BA8A38F5C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC29F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2E8615
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2E8615
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2E8615
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD2DD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2E20B9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2E20B9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2E20B9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:27:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DE00D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DE00D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DE00D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD195
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD2DD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD2DD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD284
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD284
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD284
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD23B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD23B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD23B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD195
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2148046835-1147630243-3819284400-184672315
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2DD195
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 800897F3-72A3-4467-B0A7-A5E33BE0010B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x2D9B95
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x2D9B95
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64064
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x2D9B95
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C9B3D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15901 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2D35B1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2D35B1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2D35B1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CF183
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CF183
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CF183
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:26:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CD034
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CD034
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CD034
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC158
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC29F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15887 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC29F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15886 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15885 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC246
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15884 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC246
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15883 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC246
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15882 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15881 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC1FD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15880 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC1FD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15879 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC1FD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15878 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15877 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC158
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15876 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-415591280-1318319230-2983429311-921553189
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CC158
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15875 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 18C56B70-F47E-4E93-BF84-D3B125C9ED36
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15874 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:57 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CA878
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15873 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CA878
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15872 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2CA878
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15871 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15870 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C99F6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15869 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C9B3D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15868 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C9B3D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15867 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15866 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C9AE4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15865 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C9AE4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15864 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C9AE4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15863 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15862 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C9A9B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15861 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C9A9B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15860 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C9A9B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15859 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15858 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C99F6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15857 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3107193093-1328469864-787840916-1222762834
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2C99F6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15856 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9340105-D768-4F2E-947F-F52E52E1E148
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15855 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B8B1E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15854 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B585A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15853 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2BEC83
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15852 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2BEC83
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15851 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2BEC83
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15850 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15849 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2BBA20
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15848 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2BBA20
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15847 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2BBA20
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15846 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15845 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B9803
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15844 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B9803
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15843 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B9803
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15842 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15841 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B89D7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15840 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B8B1E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15839 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B8B1E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15838 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15837 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B8AC5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15836 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B8AC5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15835 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B8AC5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15834 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15833 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B8A7C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15832 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B8A7C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15831 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B8A7C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15830 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15829 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B89D7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15828 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3970648558-1221539114-42428051-4179077650
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B89D7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15827 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ECAB49EE-352A-48CF-9366-870212AA17F9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15826 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B653D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15825 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B653D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15824 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B653D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15823 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15822 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B5660
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15821 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B585A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15820 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B585A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15819 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15818 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B5801
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15817 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B5801
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15816 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B5801
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15815 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15814 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B57B8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15813 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B57B8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15812 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B57B8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15811 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15810 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B5660
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15809 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2502940841-1136696111-1298041261-3224348604
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2B5660
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15808 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 952FD8A9-9B2F-43C0-AD89-5E4DBCA72FC0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15807 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x2A1C7D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15806 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:25:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E180
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15805 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29704B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15804 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298DDC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15803 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2A4ACD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15802 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2A4ACD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15801 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2A4ACD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15800 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15799 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x2A1C7D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64050
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15798 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x2A1C7D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15797 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29FD7E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15796 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29FD7E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15795 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29FD7E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15794 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15793 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29C6C8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15792 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29C6C8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15791 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29C6C8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15790 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15789 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29A205
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15788 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29A205
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15787 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29A205
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15786 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15785 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298C19
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15784 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298DDC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15783 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298DDC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15782 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15781 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298D0B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15780 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298D0B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15779 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298D0B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15778 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15777 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298CC2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15776 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298CC2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15775 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298CC2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15774 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15773 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298C19
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15772 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3407813963-1093431839-3864302465-474386790
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x298C19
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15771 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CB1F1D4B-721F-412C-8193-54E66691461C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15770 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x297D55
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15769 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x297D55
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15768 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x297D55
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15767 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15766 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x296F03
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15765 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29704B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15764 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x29704B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15763 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15762 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x296FF2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15761 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x296FF2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15760 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x296FF2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15759 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15758 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x296FA9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15757 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x296FA9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15756 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x296FA9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15755 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15754 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x296F03
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15753 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2889598708-1310910492-582656179-2355070978
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x296F03
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15752 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC3BC6F4-E81C-4E22-B3A0-BA2202885F8C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15751 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:24:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2676FE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15750 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FF86
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15749 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x28A4B2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15748 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x28A4B2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15747 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x28A4B2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15746 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15745 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x25D922
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15744 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252D6D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15743 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x285E2A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15742 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x285E2A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15741 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x285E2A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15740 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15739 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2847B8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15738 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2847B8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15737 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2847B8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15736 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15735 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2813B1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15734 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2813B1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15733 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2813B1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15732 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15731 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FE3F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15730 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FF86
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15729 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FF86
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15728 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15727 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FF2D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15726 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FF2D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15725 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FF2D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15724 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15723 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FEE4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15722 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FEE4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15721 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FEE4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15720 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15719 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FE3F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15718 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3417565542-1150721750-456926852-2190489771
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27FE3F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15717 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CBB3E966-9ED6-4496-8426-3C1BAB389082
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15716 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27EE6C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15715 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27EE6C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15714 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27EE6C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15713 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15712 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E035
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15711 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E180
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15710 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E180
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15709 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15708 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E127
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15707 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E127
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15706 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E127
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15705 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15704 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E0DA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15703 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E0DA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15702 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E0DA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15701 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15700 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E035
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15699 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1727457522-1203702259-2678159-3297788276
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x27E035
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15698 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 66F6E8F2-09F3-47BF-8FDD-2800744190C4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15697 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x254658
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15696 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x254643
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15695 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x254626
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15694 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x25411F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15693 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x25408C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15692 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x254036
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15691 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253E12
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15690 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253DF9
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15689 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253D8D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15688 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x2531D4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15687 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253187
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15686 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252DAB
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15685 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252DC0
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15684 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252D94
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15683 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252D83
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15682 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x254692
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15681 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x25422B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15680 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253E3C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15679 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253752
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15678 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x25340E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15677 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252DE7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15676 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A9DC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15675 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x275376
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15674 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x275376
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15673 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x275376
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15672 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15671 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:23:04 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26DF30
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15670 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26DF30
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15669 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26DF30
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15668 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15667 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26BEA9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15666 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26BEA9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15665 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26BEA9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15664 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15663 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A895
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15662 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A9DC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15661 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A9DC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15660 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15659 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A983
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15658 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A983
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15657 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A983
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15656 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15655 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A93A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15654 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A93A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15653 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A93A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15652 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15651 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A895
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15650 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1563300006-1289537136-2961753254-2344056606
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26A895
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15649 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5D2E10A6-C670-4CDC-A6C4-88B01E77B78B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15648 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26858E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15647 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26858E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15646 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26858E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15645 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15644 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2675B6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15643 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2676FE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15642 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2676FE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15641 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15640 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2676A5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15639 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2676A5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15638 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2676A5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15637 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15636 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26765C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15635 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26765C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15634 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x26765C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15633 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15632 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2675B6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15631 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2895481668-1154856076-3095981981-3405795835
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2675B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15630 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC958B44-B48C-44D5-9DEF-88B8FB5100CB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15629 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D8F2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15628 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AED1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15627 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:32 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x25D922
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64006
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15626 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x25D922
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15625 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2389CF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15624 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x25B032
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15623 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x25B032
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15622 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x25B032
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15621 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15620 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E849
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15619 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x254692
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64008
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15618 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x254692
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15617 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x254658
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15616 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x254658
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15615 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x254643
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15614 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x254643
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15613 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x254626
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15612 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x254626
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15611 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x25422B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64008
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15610 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x25422B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15609 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x25411F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15608 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x25411F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15607 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x25408C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15606 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x25408C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15605 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x254036
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15604 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x254036
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15603 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x253E3C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64008
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15602 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253E3C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15601 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x253E12
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15600 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253E12
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15599 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x253DF9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15598 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253DF9
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15597 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x253D8D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15596 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253D8D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15595 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x253752
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64008
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15594 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253752
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15593 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x25340E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64008
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15592 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x25340E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15591 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x2531D4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15590 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x2531D4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15589 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x253187
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15588 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x253187
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15587 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x252DE7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64008
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15586 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x252D58
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15585 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252DE7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15584 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x252D58
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15583 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x252D58
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15582 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15581 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x252DC0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15580 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252DC0
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15579 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x252DAB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15578 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252DAB
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15577 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x252D94
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15576 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252D94
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15575 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x252D83
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64007
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15574 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252D83
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15573 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x252D6D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 64006
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15572 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x252D6D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15571 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2520A4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15570 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:08 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2520A4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15569 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2520A4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15568 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15567 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:22:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24F62B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15566 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24F62B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15565 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24F62B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15564 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15563 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E702
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15562 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E849
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15561 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E849
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15560 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15559 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E7F0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15558 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E7F0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15557 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E7F0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15556 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15555 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E7A7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15554 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E7A7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15553 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E7A7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15552 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15551 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E702
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15550 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3558064242-1250500710-769875853-2117284920
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24E702
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15549 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D413C072-2066-4A89-8D5F-E32D3834337E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15548 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x24B155
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15547 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F311
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15546 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x24B155
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63996
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15545 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x24B155
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15544 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2440F7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15543 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2440F7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15542 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2440F7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15541 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15540 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x241CB2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15539 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x241CB2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15538 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x241CB2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15537 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15536 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24010A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15535 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24010A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15534 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x24010A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15533 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15532 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F1C9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15531 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F311
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15530 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F311
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15529 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15528 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F2B8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15527 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F2B8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15526 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F2B8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15525 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15524 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F26F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15523 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F26F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15522 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F26F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15521 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15520 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F1C9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15519 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2247599097-1217627649-2982676111-929835728
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23F1C9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15518 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 85F7A3F9-8601-4893-8F06-C8B1D02A6C37
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15517 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:30 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23B469
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15516 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23B469
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15515 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23B469
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15514 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15513 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x238875
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15512 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2389CF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15511 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2389CF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15510 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15509 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x238976
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15508 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x238976
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15507 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x238976
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15506 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15505 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23892C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15504 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23892C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15503 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23892C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15502 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15501 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x238875
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15500 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2988502709-1075803475-3417829249-1742692886
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x238875
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15499 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B220EEB5-7553-401F-81EF-B7CB1662DF67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15498 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2178C6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15497 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23369E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15496 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23369E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15495 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x23369E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15494 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15493 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:21:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22E619
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15492 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22E619
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15491 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22E619
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15490 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15489 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D7A7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15488 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D8F2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15487 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D8F2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15486 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15485 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D899
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15484 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D899
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15483 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D899
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15482 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15481 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D84C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15480 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D84C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15479 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D84C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15478 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15477 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D7A7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15476 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-647365780-1269859312-1710085249-844027281
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x22D7A7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15475 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 26960494-83F0-4BB0-81D4-ED6591D54E32
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15474 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20EE7C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15473 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21CAB6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15472 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x21E669
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15471 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F72C3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15470 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2252EA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15469 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2252EA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15468 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2252EA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15467 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15466 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x222B88
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15465 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x222B88
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15464 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x222B88
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15463 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15462 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21F343
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15461 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21F343
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15460 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21F343
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15459 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15458 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:29 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x21E669
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63970
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15457 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x21E669
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15456 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7B6C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15455 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7B57
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15454 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7B3B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15453 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F79DC
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15452 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F79C7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15451 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F79B0
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15450 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7802
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15449 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F77ED
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15448 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F77D6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15447 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7415
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15446 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F73D7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15445 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7316
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15444 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7301
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15443 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F72EA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15442 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F72D9
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15441 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7B92
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15440 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7A02
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15439 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F782C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15438 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7608
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15437 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F752E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15436 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F732E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15435 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21D9CD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15434 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21D9CD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15433 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21D9CD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15432 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15431 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21C96B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15430 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21CAB6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15429 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21CAB6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15428 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15427 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21CA59
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15426 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21CA59
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15425 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21CA59
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15424 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15423 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21CA10
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15422 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21CA10
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15421 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21CA10
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15420 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15419 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21C96B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15418 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2946521200-1087714205-937756347-3668986037
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21C96B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15417 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AFA05870-339D-40D5-BB06-E537B548B0DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15416 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2185E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15415 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2185E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15414 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2185E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15413 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15412 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x217707
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15411 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2178C6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15410 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2178C6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15409 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15408 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21786D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15407 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21786D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15406 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x21786D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15405 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15404 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2177AD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15403 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2177AD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15402 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2177AD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15401 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15400 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x217707
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15399 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2843357111-1147821581-356158903-4216848643
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x217707
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15398 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A97A2FB7-5E0D-446A-B78D-3A15030158FB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15397 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x215BE2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15396 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x215BE2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15395 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x215BE2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15394 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15393 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x212676
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15392 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x212676
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15391 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x212676
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15390 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15389 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20FF43
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15388 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20FF43
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15387 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20FF43
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15386 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15385 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:03 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20ED35
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15384 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20EE7C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15383 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20EE7C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15382 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15381 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20EE23
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15380 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20EE23
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15379 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20EE23
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15378 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15377 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20EDDA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15376 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20EDDA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15375 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20EDDA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15374 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15373 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20ED35
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15372 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-656967337-1224420070-118768271-739636507
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20ED35
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15371 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 272886A9-2AE6-48FB-8F42-14071BF5152C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15370 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:20:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20BB81
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15369 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20BB81
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15368 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20BB81
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15367 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15366 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AD80
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15365 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AED1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15364 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AED1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15363 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15362 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AE6E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15361 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AE6E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15360 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AE6E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15359 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15358 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AE25
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15357 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AE25
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15356 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AE25
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15355 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15354 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AD80
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15353 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3652639040-1242121451-4215424687-3741010097
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x20AD80
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15352 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D9B6D940-44EB-4A09-AF46-42FBB148FBDE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15351 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x200936
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15350 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABB68
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15349 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x204FDD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15348 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x204FDD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15347 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x204FDD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15346 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15345 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2015E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15344 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2015E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15343 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2015E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15342 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15341 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:46 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2007EF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15340 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x200936
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15339 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x200936
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15338 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15337 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2008DD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15336 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2008DD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15335 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2008DD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15334 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15333 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x200894
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15332 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x200894
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15331 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x200894
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15330 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15329 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2007EF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15328 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1271428510-1300231530-101894548-583717783
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x2007EF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15327 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4BC8759E-F56A-4D7F-94C9-120697D3CA22
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15326 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:45 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1FEFC6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15325 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1FEFC6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15324 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1FEFC6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15323 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15322 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DAF25
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15321 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F7B92
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63972
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15320 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7B92
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15319 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F7B6C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15318 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7B6C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15317 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F7B57
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15316 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7B57
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15315 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F7B3B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15314 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7B3B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15313 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F7A02
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63972
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15312 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7A02
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15311 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F79DC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15310 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F79DC
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15309 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F79C7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15308 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F79C7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15307 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F79B0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15306 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F79B0
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15305 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F782C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63972
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15304 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F782C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15303 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F7802
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15302 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7802
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15301 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F77ED
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15300 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F77ED
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15299 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F77D6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15298 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F77D6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15297 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F7608
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63972
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15296 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7608
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15295 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F752E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63972
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15294 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F752E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15293 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F7415
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15292 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7415
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15291 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F73D7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15290 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F73D7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15289 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F732E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63972
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15288 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F732E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15287 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F7316
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15286 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7316
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15285 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F7301
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15284 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F7301
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15283 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F72EA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15282 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F72EA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15281 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F72D9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15280 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F72D9
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15279 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1F72C3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63970
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15278 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1F72C3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15277 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB805
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15276 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:30 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1F246D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15275 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1F246D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15274 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1F246D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15273 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15272 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1EBDEE
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15271 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EF805
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15270 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EF805
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15269 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EF805
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15268 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15267 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1C4C5B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15266 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6962
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15265 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EC58E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15264 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EC58E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15263 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EC58E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15262 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15261 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1EBDEE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63959
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15260 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1EBDEE
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15259 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB6BD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15258 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB805
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15257 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB805
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15256 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15255 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB7AC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15254 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB7AC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15253 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB7AC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15252 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15251 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB763
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15250 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB763
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15249 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB763
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15248 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15247 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB6BD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15246 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-876013686-1200955738-1684947096-3069920039
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EB6BD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15245 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3436E876-215A-4795-9840-6E642743FBB6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15244 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EA67D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15243 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EA67D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15242 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1EA67D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15241 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15240 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C9CF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15239 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:19:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B7434
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15238 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B73EB
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15237 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B73B8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15236 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B7249
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15235 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B7234
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15234 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B7209
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15233 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6FBF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15232 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6FAA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15231 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6F93
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15230 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6AF0
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15229 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6AB2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15228 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B69D5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15227 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B69C0
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15226 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B69A6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15225 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B7539
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15224 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6994
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15223 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B726F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15222 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6FE9
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15221 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6CC6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15220 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6C8A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15219 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6A1F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15218 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1E1DA0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15217 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1E1DA0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15216 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1E1DA0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15215 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15214 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB5D2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15213 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1318AD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15212 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DBCAA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15211 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DBCAA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15210 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DBCAA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15209 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15208 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DADDE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15207 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DAF25
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15206 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DAF25
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15205 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15204 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DAECC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15203 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DAECC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15202 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DAECC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15201 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15200 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DAE83
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15199 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DAE83
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15198 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DAE83
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15197 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15196 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DADDE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15195 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-888404862-1154303717-1909274290-1288731247
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1DADDE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15194 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 34F3FB7E-46E5-44CD-B236-CD716F7AD04C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15193 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B40F0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15192 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1D4446
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15191 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1D4446
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15190 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1D4446
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15189 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15188 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B8140
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15187 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1CC04C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15186 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1CC04C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15185 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1CC04C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15184 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15183 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB1DD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15182 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1C4F26
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15181 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1C4F26
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15180 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1C4F26
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15179 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15178 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1C4C5B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {263E8714-E751-0AC8-D615-26BB3905D945}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63924
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15177 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1C4C5B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15176 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1C0593
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15175 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1C0593
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15174 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1C0593
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15173 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15172 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D49D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15171 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1C042F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15170 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1C042F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15169 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1C042F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15168 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15167 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BE03F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15166 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BE03F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15165 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BE03F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15164 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15163 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BCA6B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15162 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BCA6B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15161 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BCA6B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15160 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15159 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB072
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15158 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB1DD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15157 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB1DD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15156 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15155 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB17A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15154 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB17A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15153 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB17A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15152 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15151 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB131
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15150 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB131
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15149 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB131
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15148 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15147 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB072
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15146 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-62920317-1090805685-2685693375-1036625008
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1BB072
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15145 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 03C0167D-5FB5-4104-BF6D-14A070A4C93D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15144 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B900D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15143 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B900D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15142 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B900D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15141 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15140 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B7FEF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15139 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B8140
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15138 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B8140
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15137 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15136 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B80E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15135 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B80E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15134 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B80E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15133 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15132 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B809E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15131 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B809E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15130 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B809E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15129 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15128 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B7FEF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15127 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3108381460-1162295585-122255505-1487766260
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B7FEF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15126 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9462314-3921-4547-9178-4907F482AD58
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15125 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B7539
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63926
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15124 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B7539
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15123 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B7434
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15122 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B7434
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15121 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B73EB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15120 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B73EB
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15119 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B73B8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15118 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B73B8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15117 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B726F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63926
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15116 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B726F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15115 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B7249
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15114 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B7249
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15113 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B7234
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15112 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B7234
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15111 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B7209
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15110 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B7209
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15109 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6FE9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63926
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15108 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6FE9
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15107 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6FBF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15106 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6FBF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15105 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6FAA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15104 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6FAA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15103 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6F93
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15102 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6F93
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15101 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6CC6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63926
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15100 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6CC6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15099 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6C8A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63926
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15098 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6C8A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15097 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6AF0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15096 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6AF0
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15095 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6AB2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15094 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6AB2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15093 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6A1F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63926
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15092 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6A1F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15091 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B69D5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15090 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B69D5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15089 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B69C0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15088 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B69C0
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15087 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B69A6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15086 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B69A6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15085 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6994
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63925
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15084 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6994
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15083 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1B6962
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63924
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15082 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1B6962
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15081 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B4F7C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15080 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B4F7C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15079 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B4F7C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15078 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15077 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B3FA6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15076 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B40F0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15075 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B40F0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15074 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15073 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B4097
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15072 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B4097
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15071 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B4097
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15070 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15069 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B404E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15068 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B404E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15067 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B404E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15066 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15065 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B3FA6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15064 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1263332922-1331840200-1091283101-2087558216
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B3FA6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15063 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4B4CEE3A-44C8-4F62-9DA8-0B41489C6D7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15062 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1A7FF7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15061 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B142E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15060 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B142E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15059 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1B142E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15058 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15057 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:18:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1AC920
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15056 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1AC920
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15055 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1AC920
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15054 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15053 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:55 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABA20
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15052 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABB68
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15051 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABB68
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15050 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15049 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABB0F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15048 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABB0F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15047 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABB0F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15046 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15045 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABAC6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15044 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABAC6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15043 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABAC6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15042 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15041 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABA20
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15040 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4271999520-1123300245-2410412718-1397159450
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1ABA20
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15039 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FEA18A20-3395-42F4-AEFA-AB8F1AF64653
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15038 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1931EF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15037 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1A7FF7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63899
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15036 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1A7FF7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15035 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1A4FC4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15034 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1A4FC4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15033 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1A4FC4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15032 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15031 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x186257
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15030 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1A1316
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15029 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1A1316
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15028 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1A1316
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15027 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15026 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x192FC9
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15025 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19F34B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15024 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19F34B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15023 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19F34B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15022 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15021 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D33C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15020 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D49D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15019 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D49D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15018 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15017 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D444
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15016 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D444
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15015 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D444
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15014 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15013 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D3F8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15012 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D3F8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15011 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D3F8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15010 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15009 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D33C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15008 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4026082838-1104600044-1782073259-2223842631
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19D33C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15007 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EFF92616-DBEC-41D6-AB47-386A47258D84
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15006 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19BBDC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15005 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19BBDC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15004 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19BBDC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15003 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15002 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DFC9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15001 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x193FD6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15000 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x193FD6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14999 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x193FD6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14998 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14997 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1930A8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1931EF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1931EF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x193196
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x193196
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x193196
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19314D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19314D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x19314D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1930A8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1745622184-1112388259-3783870349-2775382861
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1930A8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 680C14A8-B2A3-424D-8D47-89E14DFB6CA5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x192FC9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63886
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x192FC9
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A71D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:17:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x18B1DC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x18B1DC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x18B1DC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1870AF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1870AF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1870AF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x18610C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x186257
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x186257
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14967 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1861FE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1861FE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1861FE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1861B5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1861B5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1861B5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x18610C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1337713819-1261765810-887458444-15401560
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x18610C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4FBBE49B-04B2-4B35-8C8A-E5345802EB00
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x184EE6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x184EE6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x184EE6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1832BA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1832BA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1832BA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:39 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16690B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:30 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17ED94
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17ED94
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17ED94
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DE81
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DFC9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DFC9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DF70
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DF70
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DF70
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DF27
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DF27
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DF27
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:26 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DE81
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1479755401-1249535806-2758820533-1051272137
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17DE81
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 58334689-673E-4A7A-B542-70A4C923A93E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x174A9E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:25 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17D6DE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17D6DE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x17D6DE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1683D3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114EFB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x175E42
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x175E42
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x175E42
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:16:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x174A9E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63869
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x174A9E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:58 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168DA3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168D8E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168D77
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168CD4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168CB6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168C9A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168AF3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168ADE
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168AC7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168698
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168683
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x16866C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1685A2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x16858D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14901 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168576
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168DCD
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168565
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168CFA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168B21
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168829
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1686AE
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1685BA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x170C2E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x170C2E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x170C2E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:51 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16EFF2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16EFF2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14887 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16EFF2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14886 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14885 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:50 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16D802
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14884 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16D802
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14883 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16D802
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14882 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14881 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:49 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C883
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14880 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C9CF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14879 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C9CF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14878 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14877 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C976
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14876 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C976
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14875 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C976
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14874 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14873 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C92D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14872 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C92D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14871 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C92D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14870 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14869 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C883
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14868 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2702979836-1079855313-3875374209-584161775
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16C883
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14867 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A11C32FC-48D1-405D-8184-FDE6EF99D122
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14866 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168DCD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63862
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14865 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168DCD
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14864 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168DA3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14863 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168DA3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14862 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168D8E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14861 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168D8E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14860 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168D77
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14859 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168D77
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14858 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168CFA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63862
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14857 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168CFA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14856 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168CD4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14855 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168CD4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14854 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168CB6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14853 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168CB6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14852 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168C9A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14851 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168C9A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14850 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168B21
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63862
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14849 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168B21
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14848 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168AF3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14847 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168AF3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14846 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168ADE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14845 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168ADE
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14844 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168AC7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14843 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168AC7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14842 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168829
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63862
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14841 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168829
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14840 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1686AE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63862
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14839 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1686AE
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14838 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168698
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14837 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168698
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14836 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168683
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14835 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168683
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14834 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x16866C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14833 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x16866C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14832 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1685BA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63862
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14831 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1685BA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14830 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1685A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14829 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1685A2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14828 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x16858D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {BA32453F-14A8-4DF7-1B09-E6BFDE89C5D2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14827 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x16858D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14826 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168576
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14825 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168576
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14824 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Identification
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x168565
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63859
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14823 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x168565
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14822 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1683D3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {81359CCD-33AE-CC9B-EB2C-C79D985DE856}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63857
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14821 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x1683D3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14820 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x167746
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14819 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x167746
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14818 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x167746
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14817 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14816 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16674B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14815 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16690B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14814 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16690B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14813 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14812 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x166839
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14811 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x166839
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14810 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x166839
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14809 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14808 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1667F0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14807 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1667F0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14806 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1667F0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14805 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14804 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16674B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14803 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1297221978-1337700865-477437058-505232816
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x16674B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14802 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4D52095A-B201-4FBB-821C-751CB03D1D1E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14801 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:40 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x14DB61
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14800 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC7717
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14799 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:32 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x15D395
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14798 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:25 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x15D395
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14797 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x15D395
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14796 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14795 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:25 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCE35
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14794 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE1BBE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14793 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x101663
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14792 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x14DB61
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63845
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14791 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x14DB61
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14790 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14B588
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14789 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14B588
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14788 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14B588
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14787 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14786 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A5D1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14785 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A71D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14784 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A71D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14783 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14782 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A6C4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14781 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A6C4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14780 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A6C4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14779 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14778 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A676
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14777 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A676
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14776 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A676
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14775 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14774 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A5D1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14773 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-84069137-1260459033-3592851594-4141775940
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x14A5D1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14772 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0502CB11-1419-4B21-8A90-26D6447CDEF6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14771 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12A8E3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14770 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF19EA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14769 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:14 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x146A9C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14768 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x146A9C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14767 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x146A9C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14766 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14765 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:12 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14764 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14763 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x133B35
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14762 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x133B35
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14761 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x133B35
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14760 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14759 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:15:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x13270B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14758 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x13270B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14757 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x13270B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14756 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14755 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x131765
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14754 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1318AD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14753 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1318AD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14752 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14751 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x131854
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14750 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x131854
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14749 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x131854
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14748 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14747 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x13180B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14746 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x13180B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14745 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x13180B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14744 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14743 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x131765
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14742 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2219524086-1324169162-1082576281-908331269
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x131765
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14741 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 844B3FF6-37CA-4EED-99CD-864005092436
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14740 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x111758
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14739 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x12ADFD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14738 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x12ADFD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14737 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x12ADFD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14736 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14735 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12AB80
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14734 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12AB96
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14733 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12AB96
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 63839
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14732 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12AB96
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14731 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12AB80
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 63838
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14730 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12AB80
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14729 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12AB7E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14728 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12AB7E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 63837
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14727 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12AB7E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14726 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12A8E3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 63836
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14725 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0x12A8E3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14724 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:47 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1203A4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14723 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x124E35
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14722 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x124E35
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14721 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x124E35
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14720 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14719 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x12190C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14718 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x12190C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14717 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x12190C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14716 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14715 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1200F5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14714 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1203A4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14713 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1203A4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14712 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14711 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x120333
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14710 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x120333
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14709 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x120333
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14708 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14707 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1202D8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14706 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1202D8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14705 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1202D8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14704 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14703 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1200F5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14702 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2205969912-1192822972-2869751734-3681759165
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1200F5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14701 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 837C6DF8-08BC-4719-B6EF-0CABBD2F73DB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14700 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:21 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x11C14A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14699 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x11C14A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14698 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x11C14A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14697 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14696 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x11793C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14695 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x11793C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14694 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x11793C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14693 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14692 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x115EC8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14691 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x115EC8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14690 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x115EC8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14689 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14688 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:14:00 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114D38
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14687 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114EFB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14686 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114EFB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14685 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14684 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114EA2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14683 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114EA2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14682 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114EA2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14681 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14680 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114E59
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14679 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114E59
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14678 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114E59
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14677 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14676 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114D38
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14675 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1519225483-1077130311-117951895-1844410742
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x114D38
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14674 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5A8D8A8B-B447-4033-97CD-07077679EF6D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14673 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:59 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x112673
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14672 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x112673
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14671 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x112673
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14670 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14669 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x111610
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14668 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x111758
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14667 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x111758
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14666 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14665 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1116FF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14664 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1116FF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14663 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1116FF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14662 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14661 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1116B6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14660 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1116B6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14659 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1116B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14658 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14657 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x111610
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14656 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1506328993-1290617643-775474329-2092699608
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x111610
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14655 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 59C8C1A1-432B-4CED-99CC-382ED80FBC7C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14654 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE66C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14653 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:46 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x10C2B4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14652 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x10C2B4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14651 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x10C2B4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14650 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14649 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF8142
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14648 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xFAC5F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14647 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8DBA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14646 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x107CC2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14645 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x107CC2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14644 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x107CC2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14643 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14642 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:31 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x102A78
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14641 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x102A78
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14640 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x102A78
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14639 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14638 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x101513
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14637 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x101663
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14636 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x101663
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14635 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14634 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x101601
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14633 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x101601
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14632 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x101601
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14631 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14630 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1015B8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14629 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1015B8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14628 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x1015B8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14627 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14626 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x101513
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14625 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-891053803-1139783623-2492846775-4110510770
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x101513
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14624 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 351C66EB-B7C7-43EF-B7D2-9594B26A01F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14623 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFD96D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14622 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFD96D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14621 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFD96D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14620 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14619 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:24 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFC567
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14618 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFC567
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14617 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFC567
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14616 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14615 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB48B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14614 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB5D2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14613 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB5D2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14612 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14611 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB579
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14610 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB579
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14609 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB579
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14608 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14607 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB530
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14606 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB530
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14605 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB530
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14604 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14603 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:23 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB48B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14602 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2601621104-1301550407-1866575762-1294575223
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xFB48B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14601 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9B119670-1547-4D94-92AF-416F77A6294D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14600 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:22 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0xFAC5F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63811
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14599 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xFAC5F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14598 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF8C38
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14597 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF8C38
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14596 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF8C38
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14595 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14594 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF81A7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14593 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF81BA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14592 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF81A6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14591 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF81A7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 63809
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14590 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF81A7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14589 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF81BA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 63810
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14588 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF81BA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14587 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF81A6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 63808
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14586 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF81A6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14585 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF8142
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: N-H2-849328-3
Source Network Address: 10.222.0.76
Source Port: 63807
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14584 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xF8142
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14583 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF4C21
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14582 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF4C21
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14581 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF4C21
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14580 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14579 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF2CA8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14578 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF2CA8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14577 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF2CA8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14576 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14575 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF18A3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14574 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF19EA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14573 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF19EA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14572 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14571 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF1991
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14570 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF1991
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14569 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF1991
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14568 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14567 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF1948
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14566 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF1948
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14565 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF1948
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14564 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14563 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF18A3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14562 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-704922105-1169053871-513812396-1042910259
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xF18A3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14561 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2A0441F9-58AF-45AE-AC27-A01E338C293E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14560 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:06 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEF405
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14559 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEF405
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14558 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEF405
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14557 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14556 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE525
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14555 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE66C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14554 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE66C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14553 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14552 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE613
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14551 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE613
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14550 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE613
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14549 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14548 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE5CA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14547 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE5CA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14546 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE5CA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14545 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14544 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE525
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14543 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4012731073-1153795455-524955009-1736700541
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xEE525
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14542 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EF2D6AC1-857F-44C5-812D-4A1F7DF28367
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14541 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:13:01 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE97D3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14540 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE97D3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14539 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE97D3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14538 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14537 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:48 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE5036
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14536 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE5036
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14535 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE5036
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14534 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14533 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:44 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC5A8E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14532 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE2F67
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14531 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE2F67
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14530 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE2F67
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14529 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14528 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE1776
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14527 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE1BBE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14526 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE1BBE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14525 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14524 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE1B45
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14523 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE1B45
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14522 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE1B45
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14521 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14520 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE19AF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14519 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE19AF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14518 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE19AF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14517 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14516 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE1776
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14515 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2740766654-1295899679-1807655358-4246601915
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE1776
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14514 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A35CC7BE-DC1F-4D3D-BEA1-BE6BBB001EFD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14513 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE09E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14512 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE09E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14511 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xE09E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14510 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14509 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:41 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDE486
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14508 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDE486
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14507 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDE486
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14506 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14505 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:38 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCBA7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14504 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCE35
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14503 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCE35
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14502 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14501 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCCBE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14500 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCCBE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14499 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCCBE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14498 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14497 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCC57
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14496 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCC57
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14495 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCC57
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14494 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14493 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCBA7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14492 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-433913771-1084686010-3281122437-3190870793
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDCBA7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14491 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 19DCFFAB-FEBA-40A6-85F4-91C309D330BE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14490 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:37 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xCFEDF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14489 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDA4A0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14488 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDA4A0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14487 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xDA4A0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14486 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14485 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD9D84
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14484 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD9D84
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14483 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD9D84
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14482 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14481 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8F0D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14480 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8F0D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14479 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8F0D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14478 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14477 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8C24
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14476 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8DBA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14475 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8DBA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14474 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14473 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8D29
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14472 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8D29
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14471 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8D29
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14470 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14469 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8CC9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14468 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8CC9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14467 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8CC9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14466 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14465 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8C24
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14464 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1872160660-1207846442-4097333893-2111256751
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xD8C24
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14463 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6F96E794-462A-47FE-855A-38F4AF38D77D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14462 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBA0B6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14461 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0xCFEDF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {0280A675-5C7E-EB18-A634-7A52969BC6F0}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.222.0.76
Source Port: 63793
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14460 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: Administrator
Account Domain: CBCI-849328-3
Logon ID: 0xCFEDF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14459 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xCE82D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14458 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xCE82D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14457 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xCE82D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14456 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14455 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xCC6D0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14454 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xCC6D0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14453 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xCC6D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14452 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14451 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC8556
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14450 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC8556
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14449 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC8556
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14448 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14447 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC75D0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14446 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC7717
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14445 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC7717
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14444 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14443 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC76BE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14442 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC76BE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14441 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC76BE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14440 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14439 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC7675
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14438 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC7675
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14437 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC7675
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14436 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14435 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:10 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC75D0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14434 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3332629201-1262610018-3687954085-3746217559
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC75D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14433 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C6A3E2D1-E662-4B41-A5B6-D1DB57BE4ADF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14432 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:09 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC6771
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14431 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC6771
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14430 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC6771
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14429 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14428 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC5947
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14427 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC5A8E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14426 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC5A8E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14425 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14424 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC5A35
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14423 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC5A35
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14422 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC5A35
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14421 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14420 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:08 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC59EC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14419 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC59EC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14418 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC59EC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14417 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14416 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC5947
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14415 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4037056530-1083747710-2022068375-1537841245
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC5947
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14414 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0A09812-AD7E-4098-9750-86785D98A95B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14413 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:12:07 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE494
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14412 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE494
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14411 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE494
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14410 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14409 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:42 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAED3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14408 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAED3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14407 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAED3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14406 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14405 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9F02
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14404 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBA0B6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14403 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBA0B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14402 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14401 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBA04B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14400 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBA04B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14399 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBA04B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14398 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14397 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9FFA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14396 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9FFA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14395 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9FFA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14394 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14393 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9F02
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14392 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2566258691-1271026195-2381846912-2242024570
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9F02
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14391 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 98F60003-5213-4BC2-8019-F88D7A94A285
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14390 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:34 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14389 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14388 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:11:32 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x2036F
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x1244
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14387 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:09:33 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14386 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:09:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14385 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:09:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_aed26481-f95f-43a5-9ed9-d7743aaab555
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14384 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:09:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x14C27
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14383 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6C464
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14382 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: administrator
Account Domain: CBCI-849328-3
Logon ID: 0x6C464
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {1555B8FB-A22F-D67D-11C6-1C38CA8E7C1A}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14381 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: administrator
Account Domain: CBCI-849328-3
Logon GUID: {1555B8FB-A22F-D67D-11C6-1C38CA8E7C1A}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14380 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x5ac
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14379 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54B73
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14378 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-983202948-4163701588-1340701919-500
Account Name: administrator
Account Domain: CBCI-849328-3
Logon ID: 0x54B73
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {B30B8FAB-06C5-792D-24F2-610F38F253CC}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14377 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: administrator
Account Domain: CBCI-849328-3
Logon GUID: {B30B8FAB-06C5-792D-24F2-610F38F253CC}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14376 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:11 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x4E877
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14375 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x4E877
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {96BC1F67-53D9-48E5-BAF7-B6DFABC6DD26}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14374 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x4E877
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14373 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {2F49125E-A17E-0DB8-2366-E32DE53EE2C2}
Target Server:
Target Server Name: n-h1-849328-3$
Additional Information: n-h1-849328-3$
Process Information:
Process ID: 0x714
Process Name: C:\Windows\System32\taskhostw.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14372 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x4CD84
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14371 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x4CD84
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {CD54278A-4B5D-C271-81C0-9454805F6B3C}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14370 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x4CD84
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14369 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:08:02 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x40526
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14368 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x40526
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {80A352E0-87E2-E9F2-3DEA-BA3BCC38C645}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14367 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x40526
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14366 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {F459E0C3-D45A-8BDE-9ED8-06DF3F7532E8}
Target Server:
Target Server Name: n-h1-849328-3$
Additional Information: n-h1-849328-3$
Process Information:
Process ID: 0x1314
Process Name: C:\Windows\System32\taskhostw.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14365 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:53 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3D4F0
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14364 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x3D4F0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {CD54278A-4B5D-C271-81C0-9454805F6B3C}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14363 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3D4F0
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14362 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:52 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x301C5
Logon Type: 4
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14361 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 904 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
System security access was granted to an account.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x2036F
Account Modified:
Account Name: S-1-5-21-983202948-4163701588-1340701919-500
Access Granted:
Access Right: SeServiceLogonRight | 4717 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 14360 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:43 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14359 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14358 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:35 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x315A5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14357 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x315A5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {C932C88C-D9A5-96FF-ED0C-563841C450F9}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14356 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x315A5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14355 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {36A39DA8-9601-91C7-1514-C34EBA526688}
Target Server:
Target Server Name: n-h1-849328-3$
Additional Information: n-h1-849328-3$
Process Information:
Process ID: 0xca0
Process Name: C:\Windows\System32\taskhostw.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14354 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:28 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x301C5
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14353 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x14C27
Logon Information:
Logon Type: 4
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x301C5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xbb4
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14352 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14351 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:27 AM | 437157fa-b7a1-0005-5158-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x14C27
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14350 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x14C27
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/24/2022 10:07:27 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14349 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x14C27
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0xbb4
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14348 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x14C27
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0xbb4
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14347 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:27 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x29B25
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14346 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x29B25
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {CD54278A-4B5D-C271-81C0-9454805F6B3C}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14345 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x29B25
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14344 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14343 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x9ac
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14342 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14341 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14340 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:20 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14339 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14338 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Domain:
Domain Name: N-H1-849328-3
Domain ID: S-1-5-21-2114670727-606540684-783651581
Changed Attributes:
Min. Password Age:
Max. Password Age:
Force Logoff:
Lockout Threshold:
Lockout Observation Window:
Lockout Duration:
Password Properties:
Min. Password Length:
Password History Length: -
Machine Account Quota: -
Mixed Domain Mode: -
Domain Behavior Version: -
OEM Information: 1
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 14337 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:19 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x2036F
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14336 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x2036F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x46c
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14335 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x46c
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14334 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14333 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:18 AM | 437157fa-b7a1-0004-2c58-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x5ac
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14332 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1F14F
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14331 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1F14F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x46c
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14330 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x46c
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14329 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:18 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14328 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:18 AM | 437157fa-b7a1-0000-2158-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 40e41d01-68cd-4460-9fd4-0564d5289d6f
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14327 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: 40e41d01-68cd-4460-9fd4-0564d5289d6f
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8393cd0ea261579156fd7b62dc3a5267_aed26481-f95f-43a5-9ed9-d7743aaab555
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14326 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x1BF4A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14325 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1BF4A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {699C9458-8A96-E2BB-607F-01630BD26110}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14324 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x1BF4A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14323 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x1AB34
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14322 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3.LOCAL
Logon ID: 0x1AB34
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {699C9458-8A96-E2BB-607F-01630BD26110}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14321 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x1AB34
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14320 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14319 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x5ac
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14318 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:17 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14317 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_aed26481-f95f-43a5-9ed9-d7743aaab555
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14316 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14315 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_aed26481-f95f-43a5-9ed9-d7743aaab555
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14314 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x16813
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14313 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x46c
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14312 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x46c
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14311 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2196 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14310 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2348 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14309 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2348 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14308 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2200 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14307 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2200 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14306 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2192 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14305 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2192 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14304 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2208 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14303 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2208 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x14C27
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14302 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x14C27
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14301 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14300 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14299 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0001-1b58-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14298 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2208 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14297 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2208 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x5ac
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14296 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2208 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x5ac
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14295 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2204 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14294 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2192 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14293 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 2192 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14292 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x610
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14291 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x610
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14290 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x610
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14289 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x610
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14288 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x610
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14287 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x610
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14286 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14285 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14284 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x610
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14283 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x610
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14282 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14281 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14280 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 804 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14279 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14278 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x168
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2022?-?08?-?24T10:07:14.777697400Z
New Time: ?2022?-?08?-?24T10:07:15.048000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14277 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14276 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14275 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14274 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14273 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14272 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14271 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xBF9C
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14270 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xBF76
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14269 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xBF9C
Linked Logon ID: 0xBF76
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2e0
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14268 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xBF76
Linked Logon ID: 0xBF9C
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2e0
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14267 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2e0
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14266 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:14 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14265 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14264 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 916 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14263 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: CBCI-849328-3
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14262 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:13 AM | 437157fa-b7a1-0005-fd57-7143a1b7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x652E | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14261 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 872 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14260 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 828 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 14259 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 828 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x338
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b8
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14258 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x328
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b8
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14257 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2e0
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x294
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14256 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 508 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2b8
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x240
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14255 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 508 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2a0
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x294
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14254 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 508 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x294
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x190
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14253 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 508 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x248
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x240
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14252 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 312 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x240
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x190
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14251 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 312 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x214
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x190
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14250 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:08 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x190
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14249 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18c
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 14248 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 14247 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | n-h1-849328-3.cbci-849328-3.local | | 8/24/2022 10:07:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x59c
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2022?-?08?-?24T10:06:57.598999200Z
New Time: ?2022?-?08?-?24T10:06:57.595000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14246 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 316 | n-h1-849328-3 | | 8/24/2022 10:06:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 14245 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 1444 | 4556 | n-h1-849328-3 | | 8/24/2022 10:06:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x4E104A
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14244 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 10:06:56 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x4E104A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14243 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 10:06:56 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14242 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 10:06:56 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14241 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 10:06:56 AM | aca241c0-b79a-0004-e14c-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Member:
Security ID: S-1-5-21-983202948-4163701588-1340701919-513
Account Name: -
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Additional Information:
Privileges: - | 4732 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14240 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3908 | n-h1-849328-3 | | 8/24/2022 10:06:53 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Member:
Security ID: S-1-5-21-983202948-4163701588-1340701919-512
Account Name: -
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: - | 4732 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14239 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: n-ad-849328-3.cbci-849328-3.local
Additional Information: cifs/n-ad-849328-3.cbci-849328-3.local
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Network Address: 10.222.0.89
Port: 445
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14238 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: n-ad-849328-3.cbci-849328-3.local
Additional Information: cifs/n-ad-849328-3.cbci-849328-3.local
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Network Address: 10.222.0.89
Port: 445
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14237 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3908 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: n-ad-849328-3.cbci-849328-3.local
Additional Information: cifs/n-ad-849328-3.cbci-849328-3.local
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Network Address: 10.222.0.89
Port: 445
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14236 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: n-ad-849328-3.cbci-849328-3.local
Additional Information: cifs/n-ad-849328-3.cbci-849328-3.local
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Network Address: 10.222.0.89
Port: 445
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14235 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: n-ad-849328-3.cbci-849328-3.local
Additional Information: cifs/n-ad-849328-3.cbci-849328-3.local
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Network Address: 10.222.0.89
Port: 445
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14234 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3116 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: n-ad-849328-3.cbci-849328-3.local
Additional Information: cifs/n-ad-849328-3.cbci-849328-3.local
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Network Address: 10.222.0.89
Port: 445
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14233 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3116 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: n-ad-849328-3.cbci-849328-3.local
Additional Information: cifs/n-ad-849328-3.cbci-849328-3.local
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Network Address: 10.222.0.89
Port: 445
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14232 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: n-ad-849328-3.cbci-849328-3.local
Additional Information: LDAP/n-ad-849328-3.cbci-849328-3.local
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: 10.222.0.89
Port: 49666
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14231 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3116 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {0FEEB4AA-C1CD-2506-22F2-1F785EFE63E4}
Target Server:
Target Server Name: n-ad-849328-3.cbci-849328-3.local
Additional Information: ldap/n-ad-849328-3.cbci-849328-3.local
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14230 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3116 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: CBCI-849328-3.LOCAL
Logon GUID: {0FEEB4AA-C1CD-2506-22F2-1F785EFE63E4}
Target Server:
Target Server Name: n-ad-849328-3.cbci-849328-3.local
Additional Information: cifs/n-ad-849328-3.cbci-849328-3.local
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Network Address: 10.222.0.89
Port: 445
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14229 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3116 | n-h1-849328-3 | | 8/24/2022 10:06:52 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0xa04
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14228 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3116 | n-h1-849328-3 | | 8/24/2022 10:06:37 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14227 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:44:00 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14226 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:44:00 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14225 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:27:49 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14224 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:27:49 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0x3cc
Process Name: C:\Program Files\Git\usr\bin\bash.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14223 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:27:38 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14222 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:49 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x1262DA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14221 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:49 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14220 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:49 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14219 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:49 AM | aca241c0-b79a-0005-7046-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x12416D
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14218 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:24:48 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x12416D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14217 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:24:48 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14216 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:24:48 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14215 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:24:48 AM | aca241c0-b79a-0002-d543-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x113D2A
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14214 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:42 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x113D2A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14213 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:42 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14212 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:42 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14211 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:42 AM | aca241c0-b79a-0004-cf43-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x110B95
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14210 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:40 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x110B95
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14209 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:40 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14208 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:40 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14207 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:24:40 AM | aca241c0-b79a-0001-9945-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x8C8DB
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-500
Account Name: Administrator
Account Domain: N-H1-849328-3 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14206 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:23:59 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x8C8DB
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-500
Account Name: Administrator
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/24/2022 9:23:59 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14205 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:23:59 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x8C8DB
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-500
Account Name: Administrator
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0xe38
Process Name: C:\Windows\System32\net1.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14204 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:23:59 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14203 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:23:46 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14202 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:23:46 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x8C8DB
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0xeac
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14201 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | n-h1-849328-3 | | 8/24/2022 9:23:44 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14200 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14199 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14198 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14197 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_aed26481-f95f-43a5-9ed9-d7743aaab555
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14196 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Create Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14195 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_aed26481-f95f-43a5-9ed9-d7743aaab555
Operation: Write persisted key to file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14194 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016 | 5061 | 0 | | 0 | 12290 | 0 | -9218868437227405312 | 14193 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Delete key file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14192 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14191 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14190 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14189 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14188 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14187 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:22:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x8C8DB
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14186 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:21 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x8C8DB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14185 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:21 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14184 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:21 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14183 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:21 AM | aca241c0-b79a-0000-6942-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x2B1D0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14182 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x59c
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2022?-?08?-?24T09:21:17.148932800Z
New Time: ?2022?-?08?-?24T09:21:17.133000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14181 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | n-h1-849328-3 | | 8/24/2022 9:21:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x89D4B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14180 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x89D4B
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14179 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:10 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x89D4B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14178 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:10 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14177 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:10 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14176 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:10 AM | aca241c0-b79a-0004-4542-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 40e41d01-68cd-4460-9fd4-0564d5289d6f
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14175 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:10 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: 40e41d01-68cd-4460-9fd4-0564d5289d6f
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8393cd0ea261579156fd7b62dc3a5267_aed26481-f95f-43a5-9ed9-d7743aaab555
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14174 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:10 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14173 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:07 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: Admin
Display Name: Admin
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/24/2022 9:21:07 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14172 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:07 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0x9e8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14171 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:07 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0x9e8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14170 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:07 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0x9e8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14169 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:07 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14168 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:03 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14167 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:03 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0x9e8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14166 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:03 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Member:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: -
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: - | 4732 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14165 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:21:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x6A831
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14164 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x254
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14163 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Logon ID: 0x6A831
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9e8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14162 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:00 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9e8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14161 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:00 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14160 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:21:00 AM | aca241c0-b79a-0000-2842-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14159 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:20:56 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: Admin
Display Name: Admin
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/24/2022 9:20:56 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x15
New UAC Value: 0x210
User Account Control:
Account Enabled
'Password Not Required' - Disabled
'Don't Expire Password' - Enabled
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14158 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:20:56 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was enabled.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3 | 4722 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14157 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:20:56 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was created.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
New Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: Admin
Account Domain: N-H1-849328-3
Attributes:
SAM Account Name: Admin
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges - | 4720 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14156 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:20:56 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A member was added to a security-enabled global group.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Member:
Security ID: S-1-5-21-2114670727-606540684-783651581-1001
Account Name: -
Group:
Security ID: S-1-5-21-2114670727-606540684-783651581-513
Group Name: None
Group Domain: N-H1-849328-3
Additional Information:
Privileges: - | 4728 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14155 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:20:56 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14154 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:31 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x2B1D0
Logon Information:
Logon Type: 4
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x5128B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xee8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14153 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:31 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14152 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:31 AM | aca241c0-b79a-0001-3242-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x2B1D0
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14151 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:31 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x2B1D0
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/24/2022 9:20:31 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14150 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:31 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x2B1D0
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0xee8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14149 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:31 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x2B1D0
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0xee8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14148 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:31 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14147 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:20:29 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14146 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:20:29 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Administrator
Account Domain: N-H1-849328-3
Failure Information:
Failure Reason: The specified account's password has expired.
Status: 0xC0000224
Sub Status: 0x0
Process Information:
Caller Process ID: 0x254
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4625 | 0 | | 0 | 12544 | 0 | -9218868437227405312 | 14145 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3596 | n-h1-849328-3 | | 8/24/2022 9:20:26 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-500
Account Name: Administrator
Account Domain: N-H1-849328-3
Process Information:
Process ID: 0xc4c
Process Name: C:\Windows\System32\LogonUI.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14144 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:26 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x9fc
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14143 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:20:23 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x9fc
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14142 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:20:23 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14141 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:23 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14140 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:23 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14139 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:20:23 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14138 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | n-h1-849328-3 | | 8/24/2022 9:20:23 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x254
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14137 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:21 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14136 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:20 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_aed26481-f95f-43a5-9ed9-d7743aaab555
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14135 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:20 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14134 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:20 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_aed26481-f95f-43a5-9ed9-d7743aaab555
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14133 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:20 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x2B1D0
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14132 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:19 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon ID: 0x2B1D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: N-H1-849328-3
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14131 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:19 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: cloudbase-init
Account Domain: N-H1-849328-3
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14130 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:19 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: N-H1-849328-3
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14129 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:19 AM | aca241c0-b79a-0002-ec41-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14128 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:18 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14127 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:18 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14126 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:18 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14125 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:18 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14124 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:18 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14123 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:18 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14122 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:18 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14121 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14120 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14119 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x20C6D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14118 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:17 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14117 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14116 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14115 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14114 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14113 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14112 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14111 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14110 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x254
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14109 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14108 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14107 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14106 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 316 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x254
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14105 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x254
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14104 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14103 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x538
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14102 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14101 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14100 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7e0
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14099 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7e0
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14098 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7e0
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14097 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7e0
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14096 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7e0
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14095 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7e0
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14094 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:16 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7e0
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14093 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7e0
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14092 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14091 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14090 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x5a4
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2022?-?08?-?24T09:20:15.526811500Z
New Time: ?2022?-?08?-?24T09:20:15.500000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14089 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 368 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14088 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14087 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Auditing settings on object were changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\Temp\winre\ExtractedFromWim
Handle ID: 0x5e0
Process Information:
Process ID: 0x510
Process Name: C:\Windows\System32\oobe\msoobe.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) | 4907 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14086 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14085 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14084 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14083 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14082 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:15 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled global group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-21-2114670727-606540684-783651581-513
Group Name: None
Group Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: None
SID History: -
Additional Information:
Privileges: - | 4737 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14081 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-513
Account Domain: N-H1-849328-3
Old Account Name: None
New Account Name: None
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14080 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled global group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-21-2114670727-606540684-783651581-513
Group Name: None
Group Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4737 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14079 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-503
Account Name: DefaultAccount
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: DefaultAccount
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14078 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-503
Account Name: DefaultAccount
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: DefaultAccount
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14077 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-501
Account Name: Guest
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: Guest
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14076 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-501
Account Name: Guest
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: Guest
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14075 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-500
Account Name: Administrator
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14074 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-500
Account Name: Administrator
Account Domain: N-H1-849328-3
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14073 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-581
Group Name: System Managed Accounts Group
Group Domain: Builtin
Changed Attributes:
SAM Account Name: System Managed Accounts Group
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14072 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-581
Account Domain: Builtin
Old Account Name: System Managed Accounts Group
New Account Name: System Managed Accounts Group
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14071 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-581
Group Name: System Managed Accounts Group
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14070 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-582
Group Name: Storage Replica Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Storage Replica Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14069 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-582
Account Domain: Builtin
Old Account Name: Storage Replica Administrators
New Account Name: Storage Replica Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14068 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-582
Group Name: Storage Replica Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14067 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-580
Group Name: Remote Management Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Remote Management Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14066 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-580
Account Domain: Builtin
Old Account Name: Remote Management Users
New Account Name: Remote Management Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14065 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-580
Group Name: Remote Management Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14064 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-579
Group Name: Access Control Assistance Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Access Control Assistance Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14063 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-579
Account Domain: Builtin
Old Account Name: Access Control Assistance Operators
New Account Name: Access Control Assistance Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14062 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-579
Group Name: Access Control Assistance Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14061 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-578
Group Name: Hyper-V Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Hyper-V Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14060 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-578
Account Domain: Builtin
Old Account Name: Hyper-V Administrators
New Account Name: Hyper-V Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14059 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-578
Group Name: Hyper-V Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14058 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-577
Group Name: RDS Management Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Management Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14057 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-577
Account Domain: Builtin
Old Account Name: RDS Management Servers
New Account Name: RDS Management Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14056 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-577
Group Name: RDS Management Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14055 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-576
Group Name: RDS Endpoint Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Endpoint Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14054 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-576
Account Domain: Builtin
Old Account Name: RDS Endpoint Servers
New Account Name: RDS Endpoint Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14053 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-576
Group Name: RDS Endpoint Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14052 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-575
Group Name: RDS Remote Access Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Remote Access Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14051 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-575
Account Domain: Builtin
Old Account Name: RDS Remote Access Servers
New Account Name: RDS Remote Access Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14050 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-575
Group Name: RDS Remote Access Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14049 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-574
Group Name: Certificate Service DCOM Access
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Certificate Service DCOM Access
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14048 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-574
Account Domain: Builtin
Old Account Name: Certificate Service DCOM Access
New Account Name: Certificate Service DCOM Access
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14047 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-574
Group Name: Certificate Service DCOM Access
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14046 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-573
Group Name: Event Log Readers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Event Log Readers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14045 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-573
Account Domain: Builtin
Old Account Name: Event Log Readers
New Account Name: Event Log Readers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14044 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-573
Group Name: Event Log Readers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14043 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-569
Group Name: Cryptographic Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Cryptographic Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14042 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-569
Account Domain: Builtin
Old Account Name: Cryptographic Operators
New Account Name: Cryptographic Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14041 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-569
Group Name: Cryptographic Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14040 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
Changed Attributes:
SAM Account Name: IIS_IUSRS
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14039 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-568
Account Domain: Builtin
Old Account Name: IIS_IUSRS
New Account Name: IIS_IUSRS
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14038 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14037 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-562
Group Name: Distributed COM Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Distributed COM Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14036 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-562
Account Domain: Builtin
Old Account Name: Distributed COM Users
New Account Name: Distributed COM Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14035 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-562
Group Name: Distributed COM Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14034 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-559
Group Name: Performance Log Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Performance Log Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14033 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-559
Account Domain: Builtin
Old Account Name: Performance Log Users
New Account Name: Performance Log Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14032 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-559
Group Name: Performance Log Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14031 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-558
Group Name: Performance Monitor Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Performance Monitor Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14030 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-558
Account Domain: Builtin
Old Account Name: Performance Monitor Users
New Account Name: Performance Monitor Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14029 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-558
Group Name: Performance Monitor Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14028 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-547
Group Name: Power Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Power Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14027 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-547
Account Domain: Builtin
Old Account Name: Power Users
New Account Name: Power Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14026 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-547
Group Name: Power Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14025 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-556
Group Name: Network Configuration Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Network Configuration Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14024 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-556
Account Domain: Builtin
Old Account Name: Network Configuration Operators
New Account Name: Network Configuration Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14023 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-556
Group Name: Network Configuration Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14022 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-555
Group Name: Remote Desktop Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Remote Desktop Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14021 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-555
Account Domain: Builtin
Old Account Name: Remote Desktop Users
New Account Name: Remote Desktop Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14020 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-555
Group Name: Remote Desktop Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14019 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-552
Group Name: Replicator
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Replicator
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14018 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-552
Account Domain: Builtin
Old Account Name: Replicator
New Account Name: Replicator
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14017 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-552
Group Name: Replicator
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14016 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Backup Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14015 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-551
Account Domain: Builtin
Old Account Name: Backup Operators
New Account Name: Backup Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14014 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14013 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-546
Group Name: Guests
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Guests
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14012 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-546
Account Domain: Builtin
Old Account Name: Guests
New Account Name: Guests
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14011 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-546
Group Name: Guests
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14010 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14009 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-545
Account Domain: Builtin
Old Account Name: Users
New Account Name: Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14008 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14007 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14006 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-544
Account Domain: Builtin
Old Account Name: Administrators
New Account Name: Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14005 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14004 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-550
Group Name: Print Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Print Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14003 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-550
Account Domain: Builtin
Old Account Name: Print Operators
New Account Name: Print Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14002 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-550
Group Name: Print Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14001 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | n-h1-849328-3 | | 8/24/2022 9:20:13 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14000 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:03 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13999 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:03 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13998 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13997 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB5C2
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB5B0
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB5C2
Linked Logon ID: 0xB5B0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB5B0
Linked Logon ID: 0xB5C2
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 13988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:02 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:01 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: N-H1-849328-3$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 860 | n-h1-849328-3 | | 8/24/2022 9:20:01 AM | aca241c0-b79a-0005-c341-a2ac9ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x61EA | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | n-h1-849328-3 | | 8/24/2022 9:20:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 820 | n-h1-849328-3 | | 8/24/2022 9:20:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 13981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 820 | n-h1-849328-3 | | 8/24/2022 9:20:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x330
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b0
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | n-h1-849328-3 | | 8/24/2022 9:20:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x320
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b0
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | n-h1-849328-3 | | 8/24/2022 9:20:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2d4
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x290
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | n-h1-849328-3 | | 8/24/2022 9:20:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2b0
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x248
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | n-h1-849328-3 | | 8/24/2022 9:20:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x298
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x290
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | n-h1-849328-3 | | 8/24/2022 9:20:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x290
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x190
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | n-h1-849328-3 | | 8/24/2022 9:20:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x250
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x248
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | n-h1-849328-3 | | 8/24/2022 9:19:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x248
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x190
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | n-h1-849328-3 | | 8/24/2022 9:19:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x218
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x190
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | n-h1-849328-3 | | 8/24/2022 9:19:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x190
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | n-h1-849328-3 | | 8/24/2022 9:19:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18c
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | n-h1-849328-3 | | 8/24/2022 9:19:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 13969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | n-h1-849328-3 | | 8/24/2022 9:19:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x5d0
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2022?-?08?-?24T09:19:47.595652600Z
New Time: ?2022?-?08?-?24T09:19:47.593000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/24/2022 9:19:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 13967 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 1300 | 1560 | WIN-5T344G8GM1H | | 8/24/2022 9:19:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 856 | WIN-5T344G8GM1H | | 8/24/2022 9:19:43 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 856 | WIN-5T344G8GM1H | | 8/24/2022 9:19:43 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 856 | WIN-5T344G8GM1H | | 8/24/2022 9:19:27 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/24/2022 9:19:27 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 856 | WIN-5T344G8GM1H | | 8/24/2022 9:19:27 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0xb34
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 856 | WIN-5T344G8GM1H | | 8/24/2022 9:19:27 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-2114670727-606540684-783651581-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0xb34
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 856 | WIN-5T344G8GM1H | | 8/24/2022 9:19:27 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Auditing settings on object were changed.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\Temp\winre\ExtractedFromWim
Handle ID: 0x398
Process Information:
Process ID: 0x498
Process Name: C:\Windows\System32\oobe\Setup.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) | 4907 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 588 | WIN-5T344G8GM1H | | 8/24/2022 9:19:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:52 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:52 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 13957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:52 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x633D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 856 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 856 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 856 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 856 | WIN-5T344G8GM1H | | 8/24/2022 9:18:51 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 13945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/24/2022 9:18:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:50 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:50 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | WIN-5T344G8GM1H | | 8/24/2022 9:18:50 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | WIN-5T344G8GM1H | | 8/24/2022 9:18:50 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x514
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2022?-?08?-?24T09:18:49.857640100Z
New Time: ?2022?-?08?-?24T09:18:50.061000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 584 | WIN-5T344G8GM1H | | 8/24/2022 9:18:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | WIN-5T344G8GM1H | | 8/24/2022 9:18:49 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | WIN-5T344G8GM1H | | 8/24/2022 9:18:49 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | WIN-5T344G8GM1H | | 8/24/2022 9:18:49 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 900 | WIN-5T344G8GM1H | | 8/24/2022 9:18:49 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:42 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:42 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x57666
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x57654
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x57666
Linked Logon ID: 0x57654
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x57654
Linked Logon ID: 0x57666
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 13925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:41 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:40 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 896 | WIN-5T344G8GM1H | | 8/24/2022 9:18:40 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 848 | WIN-5T344G8GM1H | | 8/24/2022 9:18:40 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 848 | WIN-5T344G8GM1H | | 8/24/2022 9:18:40 AM | 725bef53-b79a-0005-57ef-5b729ab7d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x500E0 | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | WIN-5T344G8GM1H | | 8/24/2022 9:18:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 820 | WIN-5T344G8GM1H | | 8/24/2022 9:18:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 13916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 820 | WIN-5T344G8GM1H | | 8/24/2022 9:18:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x330
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b0
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | WIN-5T344G8GM1H | | 8/24/2022 9:18:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x320
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b0
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | WIN-5T344G8GM1H | | 8/24/2022 9:18:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2d4
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x290
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | WIN-5T344G8GM1H | | 8/24/2022 9:18:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2b0
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x250
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | WIN-5T344G8GM1H | | 8/24/2022 9:18:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x298
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x290
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | WIN-5T344G8GM1H | | 8/24/2022 9:18:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x290
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | WIN-5T344G8GM1H | | 8/24/2022 9:18:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x258
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x250
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 472 | WIN-5T344G8GM1H | | 8/24/2022 9:18:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x250
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 472 | WIN-5T344G8GM1H | | 8/24/2022 9:18:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x238
New Process Name: C:\Windows\System32\setupcl.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 468 | WIN-5T344G8GM1H | | 8/24/2022 9:18:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x208
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 236 | WIN-5T344G8GM1H | | 8/24/2022 9:18:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e4
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/24/2022 9:18:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e0
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/24/2022 9:18:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 13903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/24/2022 9:18:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x4dc
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z
New Time: ?2018?-?01?-?19T09:48:13.152000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 1980 | WIN-5T344G8GM1H | | 1/19/2018 9:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 13901 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 436 | 1144 | WIN-5T344G8GM1H | | 1/19/2018 9:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
User initiated logoff:
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. | 4647 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 13900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:48:12 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 3024 | WIN-5T344G8GM1H | | 1/19/2018 9:48:11 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 3024 | WIN-5T344G8GM1H | | 1/19/2018 9:48:11 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 756 | WIN-5T344G8GM1H | | 1/19/2018 9:48:10 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 756 | WIN-5T344G8GM1H | | 1/19/2018 9:48:10 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Domain:
Domain Name: WIN-5T344G8GM1H
Domain ID: S-1-5-21-416071247-492812682-1642729393
Changed Attributes:
Min. Password Age:
Max. Password Age:
Force Logoff:
Lockout Threshold:
Lockout Observation Window:
Lockout Duration:
Password Properties:
Min. Password Length:
Password History Length: -
Machine Account Quota: -
Mixed Domain Mode: -
Domain Behavior Version: -
OEM Information: 1
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 13895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x10
User Account Control:
'Don't Expire Password' - Disabled
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 1/19/2018 9:47:34 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Domain:
Domain Name: WIN-5T344G8GM1H
Domain ID: S-1-5-21-416071247-492812682-1642729393
Changed Attributes:
Min. Password Age: ??
Max. Password Age:
Force Logoff: ??
Lockout Threshold:
Lockout Observation Window: -
Lockout Duration: -
Password Properties: -
Min. Password Length: -
Password History Length: 0
Machine Account Quota: 0
Mixed Domain Mode: 0
Domain Behavior Version: -
OEM Information: -
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 13891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
User:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0xfac
Process Name: C:\Windows\System32\Sysprep\sysprep.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The audit log was cleared.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Domain Name: WIN-5T344G8GM1H
Logon ID: 0x1F0E3 | 1102 | 0 | | 4 | 104 | 0 | 4620693217682128896 | 13887 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 436 | 1136 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Log clear | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |